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1.0 


INTRODUCTION 


This  report  presents  a formal  top  level  interface  specifi- 
cation of  a kernel  for  a secure  communications  processor 
based  on  a Honeywell  Level  6/40  minicomputer  enhanced  with 
a security  protection  module  (Reference  3) . This  kernel 
provides  access  controls  to  support  the  security  and  inte- 
grity access  policies  as  defined  in  the  Bell  and  LaPadula 
model  (Reference  1) . 

This  specification  is  intended  to  be  suitable  for  formal 
proof  of  correctness.  The  specification  is  written  in  the 
formal  specification  and  assertion  language,  SPECIAL,  devel- 
oped by  Stanford  Research  Institute  (Appendix  B) . 

Implementation  of  this  specification  is  intended  to  support 
both  secure  front-end  processor  applications  and  general- 
purpose  stand-alone  communications  applications. 

2.0  SPECIAL  OVERVIEW 

The  following  description  is  intended  to  serve  only  as  an 
overview  of  some  of  the  basic  features  of  SPECIAL.  For  a 
complete  description  of  the  language,  the  reader  is  referred 
to  the  SPECIAL  reference  manual  written  by  Stanford  Research 
Institute  and  included  as  Appendix  B of  this  document. 

SPECIAL  allows  for  the  definition  of  abstract  data  objects 

and  operations  performed  upon  these  objects.  The  objects  are 

represented  as  V-functions,  i.e.,  functions  that  return  a 

value.  The  collection  of  V-functions  represents  the  state  of 

1 


the  system  being  specified.  Operations  on  objects  are  repre- 
sented by  O-functions.  O-functions  modify  the  values  of 
V-f unctions  and  thereby  change  the  state  of  the  system.  A 
third  class  of  functions  is  that  of  OV-f unctions , i.e.,  func- 
tions that  both  change  the  system  state  and  return  a value. 

A distinction  among  V-functions  is  that  they  can  be  either 
primitive  or  derived.  The  value  of  a derived  V-f unction  is 
simply  an  expression  in  terms  of  other  V-functions.  Only  the 
values  of  primitive  V-functions  can  be  changed  by  O-functions 
and  this  implicitly  changes  the  values  of  related  derived 
V-functions . 

A second  distinction  among  V-functions  is  that  they  can  be 
either  visible  or  hidden.  A visible  V-f unction  is  one  that 
is  available  to  the  outside  world.  A hidden  V-function  can 
only  be  referenced  from  within  other  functions.  By  convention, 
the  names  of  all  hidden  V-functions  contained  in  the  kernel 
specification  begin  with  the  prefix  "h_". 

An  individual  function  specification  comprises  several 
different  parts.  For  visible  functions,  the  first  part  is 
always  a list  of  exception  conditions,  i.e.,  conditions  under 
which  the  function  fails  to  operate  or  return  a value.  These 
exceptions  apply  only  when  a visible  function  is  referenced 
from  the  outside  world.  When  referenced  internally,  i.e., 
from  within  another  function,  exceptions  are  ignored.  Simi- 
larly, hidden  functions,  which  can  only  be  referenced 
internally,  have  no  exceptions.  The  order  of  exceptions  is 
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significant.  Each  exception  condition  is  checked  in  turn,  and 
only  if  all  the  conditions  are  false  will  the  effects  take 
place  and/or  the  value  be  returned.  The  calling  program  may 
depend  on  the  order  in  which  the  exception  conditions  are 
checked.  The  remaining  parts  of  a function  specification 
differ  for  V-functions  and  O-functions.  In  the  case  of  a V- 
function,  the  specification  contains  either  an  initial  value 
for  a primitive  V-function  or  the  derivation  expression  for  a 
derived  V-function.  O-functions  and  OV-f unctions  contain  a 
list  of  "effects"  that  describe  changes  to  V-functions.  For 
an  OV-function,  the  effects  also  define  the  output  value.  The 
order  of  effects  within  a given  list  is  unimportant.  All 
effects  occur  at  once,  i.e.,  instantaneously.  Within  an 
effects  list,  references  are  made  to  the  old  and  new  values  of 
V-functions,  i.e.,  the  values  before  and  after  the  effects  have 
occurred.  The  new  value  of  a V-function  is  indicated  by  a 
single  quotation  mark  (')  preceding  the  V-function  name. 

The  entire  set  of  functions  which  constitute  the  top  level 
specification  are  divided  into  groups  called  modules.  The 
purpose  of  modules  is  to  allow  the  specifier  to  conveniently 
organize  a possibly  large  number  of  functions  into  small 
groupings  that  can  be  easily  understood.  The  modularization 
serves  no  other  purpose.  Often,  the  modules  may,  in  some  ways, 
correspond  to  actual  program  modules  in  a perceived  implementa- 
tion. This,  however,  is  not  necessary. 

Function  references  between  modules  are  permitted.  A function 

of  one  module  can  observe  the  value  of  V-functions,  including 
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hidden  V-functions,  of  any  other  module.  However,  V-functions 
can  only  be  directly  modified  by  0-  or  OV-functions  of  the 
same  module.  Therefore,  in  order  for  one  module  to  change 
a V-f unction  of  another  module,  the  first  module  must  invoke 
an  0-  or  OV-f unction  of  the  second  module. 

The  specification  of  a module  is  divided  into  six  sections 
as  follows: 

1.  TYPES 

This  section  defines  new  data  types  which  supplement 
the  primitive  data  types  of  the  language. 

2.  DECLARATIONS 

This  section  defines  variable  names  and  their  associated 
data  types. 

3.  PARAMETERS 

This  section  defines  named  constants  which,  in  SPECIAL, 
are  called  parameters. 

4.  DEFINITIONS 

This  section  allows  for  the  specification  of  macros. 

5.  EXTERNALREFS 

This  section  defines  all  external  functions  referenced 
within  the  module. 

6 . FUNCTIONS 

This  section  contains  all  of  the  individual  function 
specifications  for  the  module. 

SECURITY  KERNEL  SPECIFICATION  OVERVIEW 

The  SCOMP  kernel  specification  is  divided  into  the  following 


modules : 
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clock 


• access_levels 

• processes 

• volumes 

• quota_cells 

• segments 

• devices 

• address_spaces 

• host_interfaces 

Each  module  takes  the  form  of  an  object  manager;  i.e.,  each 
module  defines  the  data  representation  and  operations  for  a 
particular  object  type. 

The  functions  of  these  modules  define  the  top  level  kernel 
interface.  The  visible  kernel  interface  includes  all  non- 
hidden  V-functions  and  all  0-  and  OV-functions  not  specif- 
ically excluded  from  the  interface  by  the  SCOMP-kernel  inter- 
face specification  which  precedes  the  module  specifications. 

The  SCOMP-kernel  interface  specification  identifies  the  modules 
that  compose  the  interface  and,  for  each  module,  identifies 
the  0-  and  OV-functions  that  are  excluded  from  the  interface. 
Unlike  the  module  specifications,  the  interface  specification 
is  not  written  in  SPECIAL,  but  is  written  in  a specific  inter- 
face specification  language  also  developed  by  Stanford 
Research  Institute.  Functions  excluded  from  the  interface 
are  specified  following  the  WITHOUT  clause  for  each  module. 
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4.0 


SCOMP  KERNEL  MODULES 


4.1 


Clock 


The  first  module  of  the  SCOMP  kernel  specification  describes 
the  system  real-time  clock.  The  read_real_clock  function 
returns  the  current  value  of  the  system  real-time  clock.  The 
clock  is  used  as  a source  of  unique  identifiers  by  the  various 
kernel  modules. 


The  access  levels  module  serves  to  define  the  internal 
structure  of  an  access  level.  An  access  level  is  composed 
of  both  a security  level  and  an  integrity  level.  A security 
level  or  an  integrity  level  is  composed  of  both  a level  number 
(e.g.,  confidential,  secret)  and  a category  set  (e.g.,  NATO, 
crypto) . 

The  access  levels  module  contains  functions  for  determining 
subject  access  (read,  write,  or  read/write)  to  an  object. 

These  functions  implement  the  nondiscretionary  access  control 
policies  of  the  security  model  (simple  security  and  the 
♦-property) . The  functions  take  as  input  a subject  access 
level,  an  object  access  level,  and  a boolean  value  indicating 
whether  the  subject  is  trusted.  All  access  control  decisions 
made  by  the  kernel  depend  on  these  functions. 


The  processes  module  is  concerned  with  the  creation  and  dele- 
tion of  processes,  interprocess  communication,  process  sched- 
uling priority,  process  virtual  clocks,  and  process  real  timers. 


4.2 


Access  Levels 


4.3 


Processes 
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At  process  creation,  the  access  level  of  the  new  process,  the 
trusted  or  untrusted  status  of  the  new  process,  and  the 
scheduling  priority  of  the  new  process  are  specified.  Process 
creation  and  deletion  are  restricted  to  the  trusted  initializer 
process  only.  For  this  reason,  process  creation  cannot  serve 
as  an  information  path  between  untrusted  processes.  Therefore, 
knowledge  of  the  existence  of  processes  is  not  restricted. 

The  processes  module  provides  an  interprocess  communication 
mechanism  via  the  block,  read-messages,  send-signal,  and 
wake-up  functions.  The  send-signal  and  wake-up  functions 
insert  a message  into  the  target  process  message  queue.  If 
the  target  process  state  is  blocked,  the  process  state  is 
changed  to  ready.  The  difference  between  signals  and  wake-ups 
is  that  a signal  is  recognized  immediately  by  the  receiving 
process  whereas  a wake-up  is  not  recognized  until  the  receiving 
process  next  invokes  the  block  or  read_messages  functions. 

The  block  function  allows  a process  to  read  its  message  queue; 
if  the  queue  is  empty,  the  process  is  blocked  (state  changes 
to  block)  until  a message  arrives.  A read_messages  function 
is  provided  that  simply  reads  any  pending  messages,  but  will 
not  wait  for  a message  to  arrive. 

The  processes  module  supports  the  process  scheduling  mechanism, 
which  is  hidden  within  the  kernel,  by  maintaining  the 
scheduling  priority  of  each  process.  Process  priority  is 
modified  via  the  set_priority  function.  A process  may 
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change  its  own  priority  without  any  restrictions  being 
imposed  by  the  kernel;  however,  the  priority  of  another 
process  may  only  be  increased.  The  purpose  of  this  mechanism 
is  to  allow  a process  to  associate  a message  with  a priority. 
A message  may  be  sent  to  another  process  via  the  wake-up  or 
send_signal  functions.  The  sender  may  then  request  that  the 
scheduling  priority  of  the  target  be  changed  to  that  of  the 
message.  If  the  message  priority  is  greater  than  the  current 
target  process  scheduling  priority,  its  priority  is  raised 
to  that  of  the  message. 

The  process  module  supports  real-time  timers;  the  kernel 
maintains  one  real  timer  per  process.  If  additional  timers 
are  required  by  a process,  they  must  be  managed  by  the 
clock  manager  portion  of  the  supervisor.  When  a timer  is 
set,  the  caller  specifies  the  timer-interval,  a wake-up 
message  (timer  identifier) , and  the  interrupt  level  at 
which  the  clock  manager  is  to  run.  When  a timer  runout 
occurs,  the  target  process  is  sent  a wake-up  message  and  the 
corresponding  timer  level  indicator  is  set.  Upon  process 
dispatch,  the  process  will  execute  the  level  handler  corres- 
ponding to  the  highest  priority  level  indicator  which  is  set. 

The  processes  module  also  supports  a per  process  virtual- 
time clock  which  only  runs  when  the  process  state  is  running. 
Ideally,  process  virtual  time  represents  the  real  time  that 
a process  has  actually  been  running  on  a processor  with 
subtractions  made  for  certain  hidden  events  such  as  page 
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faults  and  interrupts.  The  objective  is  to  factor  out  time 
spent  performing  hidden  operations  that  support  the  virtual 
process  environment  because  this  time  is  unpredictable  and, 
in  general,  depends  upon  the  activities  of  other  processes. 

The  implementation  of  this  ideal  virtual  clock  is  difficult. 
Thus,  the  kernel  allows  access  to  the  virtual  clocks  only  to 
the  trusted  time-monitor  process  for  accounting  purposes. 

4 . 4 Volumes 

The  volumes  module  is  concerned  with  the  creation  and  deletion 
of  volumes,  and  the  mounting  and  demounting  of  volumes.  Vol- 
umes are  considered  a logical  subdivision  of  secondary  storage 
consisting  of  a single  disc  pack. 

At  volume  creation,  minimum  and  maximum  access  levels  for  the 

volume  are  specified.  These  access  levels  define  the  range 

of  access  levels  of  information  (i.e.,  segments)  that  can  be 

stored  on  the  volume.  The  minimum  access  level  of  the  volume 

also  serves  as  a visibility  access  level  for  the  volume. 

Volume  creation  and  deletion  are  restricted  to  the  trusted 

volume  initializer  process  to  allow  a limit  to  be  placed  on 

the  number  of  volumes  without  creating  an  information  channel. 

At  volume  creation,  an  initial  quota  cell  and  quota  cell  limit 

are  created  for  the  volume.  The  quota  value  of  the  initial 

quota  cell  is  set  to  the  volume  size  (i.e.,  the  number  of 

pages  on  the  volume) . The  quota  limit  value  of  the  initial 

quota  cell  limit  is  set  to  the  number  of  allowed  quota  cells 

per  volume.  Details  on  quota  cells  may  be  found  in  the 

description  of  the  quota_cell  module. 
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The  only  operations  which  can  be  performed  on  a volume  by 
untrusted  processes  are  mounting  and  demounting.  Both  of 
these  operations  require  that  the  caller's  access  level  be 
equal  to  the  volume  minimum  access  level  because  the  mounting 
and  demounting  of  a volume  can  be  detected  by  any  process  at 
an  access  level  equal  to  or  greater  than  the  volume  minimum 
access  level.  To  prevent  the  creation  of  an  information 
channel  caused  by  the  finite  number  of  disc  drives  in  the 
system,  disc  drives  are  allocated  by  access  level.  The  kernel 
requires  that  for  a process  to  mount  a volume  on  a disc  drive, 
the  process  access  level,  the  volume  minimum  access  level,  and 
the  drive  access  level  must  all  be  equal.  The  access  level 
distribution  of  free  disc  drives  may  be  changed  dynamically, 
if  necessary,  by  the  trusted  initializer  process  using  the 
change  drive_count  function. 

4 . 5 Quota  Cells 

The  quota  cells  module  is  concerned  with  the  management  of 
volume  quota  and  provides  the  mechanism  to  build  a hierarchical 
file  system  outside  the  kernel.  Quota  cells  are  the  mechanism 
by  which  the  sharing  of  pages  on  a volume  is  controlled  - each 
segment  is  assigned  to  a particular  quota  cell.  The  kernel 
provides  a general  interface  that  allows  any  arbitrary  collec- 
tion of  segments  having  the  same  access  level  to  be  assigned 
to  the  same  quota  cell.  The  supervisor  (i.e.,  file  manager) 
is  responsible  for  imposing  an  arrangement  of  quota  cells 
and  segments  that  reflects  a directory  hierarchy. 
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At  quota  cell  creation,  a volume,  an  access  level,  and  a 
visibility  access  level  are  specified.  The  two  access  levels 
must  be  within  the  volume  range.  Storage  space  on  a volume  is 
first  made  available  by  the  creation  of  an  initial  quota  cell 
at  volume  creation.  Both  the  access  level  and  the  visibility 
access  level  of  the  initial  quota  cell  must  equal  the  volume 
minimum  access  level  permitting  the  initial  quota  to  be  dis- 
tributed to  higher  access  levels  as  needed.  All  other  quota 
cells  are  created  with  a quota  of  zero  pages.  In  order  to 
assign  a nonzero  quota  to  a new  quota  cell,  quota  must  be 
moved  from  some  other  quota  cell  on  the  same  volume.  Quota 
cannot  be  moved  downward  by  untrusted  processes  - the  move_ 
quota  function  requires  that  the  target  quota  cell  have  an 
equal  or  greater  access  level  than  the  source  quota  cell;  only 
trusted  processes  may  move  quota  downward. 

A reference  count  is  associated  with  each  quota  cell.  This 
count  is  the  number  of  segments  that  charge  pages  to  the 
quota  cell.  As  long  as  this  count  is  nonzero,  the  quota 
cell  cannot  be  deleted.  Another  attribute  of  a quota  cell 
is  the  count  of  pages  used.  This  count  is  changed  by  the 
creation  and  deletion  of  segments  (segment  length  is  con- 
verted to  equivalent  pages)  as  specified  in  the  segments 
module.  For  all  quota  cells,  the  pages  used  count  is  not 
permitted  to  exceed  the  quota. 

To  prevent  the  creation  of  an  information  path  resulting 
from  shared  finite  resources,  a limit  is  placed  on  the  number 
of  quota  cells  that  can  be  created  on  a volume.  At  volume 
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creation,  the  volume  quota  cell  limit  is  assigned  to  the 
volume  minimum  access  level  permitting  the  volume  limit 
to  be  distributed  to  higher  access  levels  as  needed.  All 
other  access  levels  quota  limits  are  initially  zero.  In 
order  to  create  a new  quota  cell  with  a visibility  access 
level  greater  than  the  volume  minimum  access  level,  the 
quota  cell  limit  must  be  redistributed  from  some  lower 
access  level  limit  on  the  volume.  The  quota  cell  limit 
cannot  be  moved  downward  by  untrusted  processes  - the 
change_quota_cell_limit  function  requires  that  the  target 
quota  cell  limit  have  a greater  visibility  access  level  than 
the  source  quota  cell  limit;  only  trusted  processes  may 
change  quota  cell  limits  downward. 

4 . 6 Segments 

The  segments  modules  is  concerned  with  the  management  of 
segments,  the  logical  unit  of  storage  for  SCOMP.  Within 
this  module,  segments  are  identified  by  global  identifier 
only;  the  local  process  view  of  segments  are  identified  by 
segment  number,  as  defined  in  the  address_spaces  module. 

The  segments  module  also  specifies  the  interface  for  the 
SCOMP  memory  manager  process  which  is  responsible  for  all 
memory  manager  policy  decisions. 

At  segment  creation,  a visibility  access  level,  a volume, 

a quota  cell,  and  a segment  length  must  be  specified.  The 

new  segment  resides  on  the  specified  volume  and  charges 

its  pages  to  the  specified  quota  cell.  The  access  level 

of  the  new  segment  is  equal  to  that  of  its  associated  quota 
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cell.  The  number  of  pages  charged  to  its  quota  cell  is 
derived  directly  from  the  requested  segment  length;  initially 
all  words  of  a segment  have  a value  of  zero.  Only  paged 
segments  may  be  dynamically  created  by  a user;  no  main  memory 
allocation  is  made  at  segment  creation.  No  limit  is  placed 
on  the  number  of  segments  that  can  be  created  on  a given 
volume . 

For  flexibility,  a memory  manager  interface  has  been  included 
in  the  kernel  specification  in  the  segments  module.  The 
memory  manager  is  to  be  an  untrusted  process  running  at 
system  high  wnich  is  responsible  for  all  memory  management 
policy  decisions;  the  kernel  provides  the  mechanisms  for 
implementing  its  policy  decisions.  Thus,  policy  may  change 
without  affecting  the  kernel. 

The  memory  manager  interface  must  be  flexible  in  order  to 
accommodate  the  various  operating  environments  for  SCOMP. 

That  is,  the  kernel  specification  must  be  applicable  to  the 
following  configurations: 

• High  performance,  core-only  system  with  sufficient  memory  to 
preallocate  memory  at  load  time;  for  performance  reasons, 
unpaged  segments  are  utilized  as  much  as  possible. 

• High  performance,  core-only  system  with  insufficient  memory 
to  preallocate  all  data  buffers  at  load  time;  thus,  a 
simple  buffer  manager  is  required. 

• Medium  performance,  disc-supported,  fully-paged  virtual 
memory  system  with  a general  memory  management  function. 
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Tne  kernel  specification  satisfies  the  requirements  imposed 

by  the  various  configurations,  yet  retains  a simple  user 

interface,  by  imposing  the  following  rules  and  conventions: 

• Paging  is  invisible  to  all  user  processes;  visibility  of 
paging  is  restricted  to  the  memory  manager.  The  only 
reason  for  the  visibility  of  paging  effects  within  the 
specification  is  to  support  the  memory  manager  interface. 

a Unpaged  segments  must  be  defined  at  load  time  and  retained 
in  core  until  deleted;  only  paged  segments  are  subject  to 
dynamic  memory  management. 

• The  allocation  of  real  memory  to  requestors  is  postponed 
as  long  as  possible  by  the  kernel;  no  real  memory  is 
allocated  until  the  user  attempts  to  access  it. 

The  kernel  design  envisioned  is  as  follows: 

• The  kernel  has  a free  list  of  available  memory  pages  from 
which  it  draws  to  satisfy  access  requests  (allocate_page 
function) . 

• When  the  number  of  free  pages  falls  below  some  fixed 
threshold  (min_free_page_count) , the  external  memory 
manager  is  requested  to  provide  additional  pages  (page_ 
request_count) . 

• When  the  kernel  is  unable  to  satisfy  an  access  request, 
the  requestor  is  delayed  until  free  resources  are  available 
(as  supplied  by  the  memory  manager) . 

The  kernel  specification  provides  a memory  manager  interface 

via  two  functions:  get_memory_data  and  provide  free  pages. 

These  functions  are  only  available  to  the  memory  manager. 
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The  get_memory_da ta  function  provides  a list  of  pages  eligible 
for  memory  deallocation.  The  memory  utilization  data  consists 
of  the  global  segment  name,  the  page  number,  the  page  core 
address,  an  indication  of  whether  the  page  has  been  used  since 
the  last  time  the  function  was  called,  and  an  indication  of 
whether  the  page  has  been  modified  since  it  was  placed  in  main 
memory.  To  be  eligible  for  deallocation,  a page  must  be  in 
core,  and  not  wired.  The  provide_f ree_pages  function  notifies 
the  kernel  of  the  pages  selected  by  the  memory  manager  for 
deallocation.  These  pages  are  swapped  to  disc  if  modified  and 
placed  on  the  free  list.  The  data  provided  by  the  kernel  to 
the  memory  manager  process  appears  sufficient  to  support  a 
reasonable  memory  management  policy,  e.g.,  frequency  of  page 
use  is  provided  along  with  method  of  access  (read  or  write)  - 
thus,  a reasonable  policy  would  be  to  favor  pages  used 
infrequently  in  a read  mode  only. 

Functions  are  defined  for  reading  and  writing  the  contents 
of  segments  (i.e.,  read/read).  These  functions  have  certain 
side  effects,  as  well.  That  is,  if  the  target  segment  is 
paged,  then  the  kernel  checks  the  page_in_core  indicator.  If 
not  in  core,  a free  page  is  allocated  to  the  process  to 
satisfy  the  request.  If  the  free  page  count  falls  below  some 
minimum  threshold,  the  memory  manager  is  sent  a wake-up. 

Segment  deletion  requests  are  delayed  until  all  outstanding 
I/O  on  the  segment  has  completed.  Upon  satisfaction  of  this 
condition,  and  if  no  exception  conditions  are  true,  pages  in 
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core  (paged  segment  only)  are  added  to  the  free  list. 

Similarly,  an  unpaged  segment  (which  must  be  in  core)  is 
converted  to  equivalent  pages  and  added  to  the  free  list. 

The  page  quota  of  the  quota  cell  associated  with  the  segment 
is  increased  by  the  equivalent  segment  length. 

To  support  memory  management,  the  segments  module  is  re- 
sponsible for  monitoring  pages  used,  pages  modified,  and 
segments  wired  on  a global  basis.  Since  page  descriptors 
are  to  be  shared,  page  used  and  modified  indicators  are  only 
maintained  within  the  segments  module,  no  process  local  view 
of  page  utilization  (within  the  address_spaces  module)  is 
necessary.  However,  wired  segments  are  locally  known  (a 
segment  must  be  locally  wired  to  perform  I/O) . The  segments 
module's  global  view  of  wired  segments  is  derived  from  the 
local  data  and  provides  a count  of  the  number  of  processes 
which  have  the  segment  wired.  The  hidden  change_wire_count 
function  is  called  from  address_spaces  whenever  a segment  is 
locally  wired  (wire_seg)  or  unwired  (unwire_seg) . 

4 . 7 Devices 

The  devices  module  is  responsible  for  the  management  of 
devices.  Within  this  module,  devices  are  identified  by  global 
identifier  only;  the  local  process  view  of  devices,  where 
devices  are  identified  by  device  number,  is  defined  in  the 
address_space  module.  The  device  module  also  specifies  the 
interface  for  the  SCOMP  device  monitor  process. 
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At  device  creation,  the  device  access  level,  the  device  type, 
and  the  device  mapping  mode  are  specified.  Since  all  devices 
are  read-write  from  a security  viewpoint  (all  operations  may 
return  status  information  visible  to  a using  process  and  may 
result  in  a change  of  state  visible  to  the  external  world) , a 
process  must  have  an  access  level  equal  to  that  of  the  device 
in  order  to  initiate  it.  The  device  type  is  used  to  define 
those  read  and  write  control  operations  valid  for  user 
processes  to  perform  with  the  device.  The  mapping  mode  speci- 
fies whether  the  device  is  to  operate  mapped  or  premapped. 
Device  creation  and  deletion  are  restricted  to  the  trusted 
device  manager  process.  Similarly,  the  modification  of  device 
attributes  (access  level  and  mapping  mode)  is  restricted  to 
the  device  manager. 

For  completeness,  a device  monitor  interface  has  been  included 
in  the  kernel  specification  in  the  devices  module.  The  device 
monitor  process  would  be  analogous  to  the  memory  manager 
process.  The  get_device_data  function  provides  the  necessary 
interface.  The  function  provides  the  device  utilization  data 
to  the  device  monitor.  This  information  consists  of  the 
device  global  name,  a device  initiated  indicator,  an  indica- 
tion of  whether  the  device  has  been  used  since  the  function 
was  last  called,  and  an  indicator  of  whether  the  device  has 
been  written  to  since  the  function  was  last  called  for  all 
devices  which  exists  in  the  global  device  catalog. 
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The  devices  module  also  includes  the  device_wake-up  function 
which  notifies  the  device  initiator  process  of  asynchronous 
I/O  termination.  When  the  termination  interrupt  is  received, 
the  kernel  sends  the  initiator  process  a wake-up  message 
consisting  of  the  device  local  name  and  sets  the  correspond- 
ing device  level  indicator  which  schedules  the  device  handler 
for  the  process. 

4 . 8 Address  Spaces 

The  address  spaces  module  supports  both  the  binding  of  segment 
numbers  to  segments  and  device  numbers  to  devices  within  a 
process  as  well  as  the  granting  and  revoking  of  current  access 
to  segments  and  devices.  In  addition,  this  module  provides 
kernel  interface  functions  for  reading  and  writing  segments 
and  devices,  as  well  as  functions  to  support  trap  and  level 
handling  within  a process. 

The  binding  of  a segment  number  to  a segment  is  accomplished 
via  the  assign_segno  function.  The  assigned  segment  number 
is  selected  by  the  supervisor,  not  the  kernel.  Information 
about  assigned  segments  is  maintained  in  a per-process  table 
called  the  known  segment  table  (kst) . The  kst  is  represented 
by  a collection  of  V-f unctions.  Similarly,  the  binding  of  a 
device  number  to  a device  is  accomplished  via  the  assign_ 
devno  function.  The  assigned  device  number  is  selected  by 
the  supervisor,  not  the  kernel.  Information  about  assigned 
devices  is  maintained  in  a per-process  table  called  the  known 
device  table  (kdt) . The  kdt  is  represented  by  a collection 


of  V-f unctions. 
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The  assignment  of  a segment  number  to  a segment  or  a device 
number  to  a device  does  not  make  the  segment  or  device  directly 
accessible.  Object  access  is  accomplished  via  the  give  access 
and  give_device_access  functions  for  which  the  caller  specifies 
the  access  mode  and  ring  brackets  for  the  segment  or  device. 

The  requested  access  mode  is  modified,  if  necessary,  by  the 
kernel  to  conform  to  access  level  restrictions.  For  device 
access,  a process  level  must  also  be  defined  (at  which  a device 
handler  must  have  been  previously  defined)  in  order  to  allow 
the  process  execution  point  to  be  properly  handled  during 
asynchronous  I/O  termination  notification  (i.e.,  device 
wake-up) . Any  process  can  grant  itself  access  to  a segment 
or  device  in  this  fashion.  However,  it  is  expected  that  the 
supervisor  will  control  the  use  of  these  functions  so  as  to 
enforce  the  discretionary  access  control  list  (ACL)  policy. 
Similarly,  the  supervisor  will  enforce  the  discretionary 
ring  bracket  policy.  The  kernel  requires  only  that  the  seg- 
ment and  device  ring  brackets  be  outside  the  kernel  ring. 

Functions  are  also  provided  to  revoke  the  access  of  all 
processes  to  a given  segment  or  device.  These  functions 
can  be  used  by  the  supervisor  to  force  all  processes  to 
recompute  access  to  a segment  or  device  after  an  ACL  has 
been  changed.  Once  access  has  been  revoked,  subsequent 
references  to  the  segment  or  device  will  cause  an  exception. 

The  address_spaces  module  also  includes  a revoke_vol  access 
function.  At  the  time  a volume  is  demounted,  access  to  all 
segments  on  the  volume  is  revoked  by  the  use  of  this  function. 
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The  address  spaces  module  provides  two  functions,  hidden  from 
the  kernel  interface,  which  support  process  creation  and 
deletion.  The  init_address_space  function  initializes  the 
new  process  address  space  at  process  creation  time.  The 
process  kst  is  initialized  to  a template_kst  and  the  initial 
process  execution  point  is  defined.  This  process  initializa- 
tion is  identical  for  all  processes.  It  is  envisioned  that 
the  new  process  will  then  utilize  the  interprocess  communi- 
cations mechanism  to  communicate  with  the  initializer  process 
(e.g. , answering  service  process)  to  obtain  sufficient  data 
to  establish  its  process-unique  functionality  (e.g.,  create 
its  kdt) . The  purge_address_space  function  releases  all 
segments  and  devices  in  the  address  space  of  the  process  at 
process  deletion  time. 

Several  functions  in  the  address_spaces  module  represent 
either  memory  reference  or  device  reference  operations 
associated  with  classes  of  machine  instructions.  These 
functions  include: 

® Read  seg  - reads  a word  from  a segment  for  process 
- represents  all  load  memory  instructions 
o Write  seg  - writes  a word  to  a segment  for  process 

- represents  all  store  memory  instructions 

• Execute  seg  - executes  a word  from  a segment  for  process 

- represents  all  fetch  instruction  from 
memory  cycles 

• Call  - initiates  inter-ring  inward  movement  for  process 

- represents  Link  Jump  across  Rings  (LNJR)  machine 


instruction 
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• Return  - initiates  inter-ring  outward  movement  for  process 

- represents  Return  (RETN)  machine  instructions 

• Sync_device_read  — reads  a word  from  a device  synchronously 

for  process 

- represents  all  PIO  input  instructions 
(10,  IOH) 

• Sync_device_write  - writes  a word  to  device  synchronously 

for  process 

- represents  all  PIO  output  instructions 
(10,  IOH) 

• Connect_device_read  - starts  an  asynchronous  read  operation 

from  device  for  process 
- represents  all  DMA  input  connect 
instructions  (IOLD) 

• Async_device_read  - asynchronously  reads  a word  from  mapped 

device  to  segment  for  process 

- represents  DMA  transfer  from  device 
to  memory  (IOLD  execution) 

• Connect_device_write  - starts  an  asynchronous  write 

operation  to  device  for  process 
- represents  all  DMA  output  connect 
instructions  (IOLD) 

• Async_device_write  - asynchronously  writes  a word  from 

segment  to  mapped  device  for  process 
- represents  DMA  transfer  from  memory 
to  device  (IOLD  execution) 
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The  address  spaces  module  also  includes  two  functions 
primarily  intended  to  support  secure  user-intiated  I/O.  A 
segment  must  be  maintained  in  main  memory  (no  page  faults) 
during  DMA  I/O  to  prevent  security  violations.  The  function 
wire  seg  provides  the  mechanism  by  which  a user  may  insure 
that  an  entire  segment  is  in  main  memory  and  no  longer  eligible 
for  deallocation  by  the  memory  manager.  The  function  unwire_ 
seg  releases  a wired  segment.  The  effects  of  wire_seg  are 

to  set  a process- local  wire  indicator  (h_kst seg_wired)  on 

the  segment  descriptor  and  a global  wire  indicator  (h_seg_ 
wire  count) . The  global  indicator  is  used  to  support  the 
memory  manager  interface  while  the  local  indicator  is  checked 
by  the  hardware  before  allowing  a connect_device  operation 
to  proceed.  In  order  to  have  a process-local  mechanism  to 
mediate  unwire  seg  requests,  yet  support  multiple  devices 
performing  I/O  on  the  same  segment,  an  I/O  count  (h_kst_seg_ 
io  count)  is  also  maintained  on  the  process -local  segment 
descriptor.  The  I/O  count  is  incremented  (by  hardware) 
whenever  a DMA  transfer  is  initiated  and  decremented  (by 

hardware)  upon  I/O  termination  (i.e.,  effects  of  device 

wake-up) . 

The  address_spaces  module  allows  a process  to  execute  at 
multiple  interrupt  priority  levels  within  its  address  space. 
Three  visible  functions  are  adequate  to  support  this  capa- 
bility. The  set  level  handler  function  allows  a user  to 
specify  a level  handler  (i.e.,  task  handler)  for  a process  at 
a given  interrupt  priority  level.  The  kernel  enforces  the 
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discretionary  ring  bracket  policy  within  this  function  as 
follows:  (a)  the  effective  ring  of  execution  of  the  level 

handler  cannot  be  more  privileged  than  the  caller  ring; 
and,  (b)  if  a more  privileged  level  handler  already  exists, 
then  the  request  is  denied  (if  the  existing  handler  is  not 
more  privileged,  it  is  replaced) . The  modify_activity_ 
level  and  the  lev  functions  allow  a user  to  manipulate 
the  activity  level  indicators  for  his  process.  They  repre- 
sent the  functionality  provided  by  the  level  change  (LEV) 
machine  instruction.  The  modif y_activity  level  function 
reflects  the  defer  interrupt  option  of  the  LEV  instruction. 

The  lev  function  reflects  both  the  normal  LEV  instruction 
(level  context  switch)  execution  and  its  suspend  level  option. 
The  only  requirement  for  these  functions  is  that  the  level  to 
be  manipulated  must  have  a defined  handler . To  support  the 
multiple  priority  level  capability,  three  functions  hidden 
from  the  kernel  interface  are  included.  These  functions  are: 
set_level , change_level , and  dispatch_level . 

The  last  feature  of  the  address_spaces  module  is  trap  handling 
or  fault  processing.  The  visible  trap  handling  functions  allow 
nonkernel  software  to  handle  traps;  certain  traps  (e.g.,  page 
faults)  are  not  visible  at  the  kernel  interface  and  are  not 
covered  by  these  visible  functions.  The  trap  structure 
supported  by  the  SCOMP  kernel  is  a generalization  and  simpli- 
fication of  the  particular  trap  mechanism  implemented  in  the 
SCOMP  hardware.  The  set_trap_handler  function  allows  the  user 
to  specify  a trap  handler  and  trap  save  area  for  a particular 
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trap  type  for  his  process.  The  kernel  enforces  the  discre- 
tionary ring  bracket  policy  within  this  function  in  a manner 
similar  to  level  handlers.  That  is,  (a)  the  effective  ring  of 
execution  of  the  trap  handler  cannot  be  more  privileged  than 
the  caller  ring;  and,  (b)  if  a more  privileged  trap  handler 
already  exists,  then  the  request  is  denied  (if  the  existing 
handler  is  not  more  privileged,  it  is  replaced) . The  trap 
function  specifies  the  behavior  of  the  kernel  upon  the 
occurrence  of  a given  trap  type.  The  kernel  passes  the 
pertinent  trap  information  into  the  user  defined  trap  save 
area  and  changes  the  process  execution  point  to  the  trap 
handler.  The  return_from_trap  function  specifies  the  return 
from  the  user-defined  trap  handler  upon  completion  of  fault 
processing.  The  only  significant  restriction  imposed  by  the 
kernel  within  this  function  is  that  the  ring  of  execution  of 
the  specified  return  execution  point  not  be  more  privileged 
than  that  of  the  trap  handler;  it  is  not  necessary  to  return 
to  the  point  where  the  trap  occurred. 

4 . 9 Host  Interfaces 

The  host  interfaces  module  provides  those  functions  necessary 
to  support  secure  communication  between  a host  (e.g.,  Multics) 
and  a front-end  processor  (SFEP) . As  specified,  the  link 
between  the  SFEP  process  and  its  associated  host  process  is 
the  device  name  (e.g. , terminal)  on  whose  behalf  both 
processes  were  created.  That  is,  neither  the  front-end 
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process  nor  the  host  process  need  be  aware  of  the  others 
process  identifier  in  order  to  communicate  since  only  one 
untrusted  user  process  may  have  a device  initiated  at  any 
one  time.  Thus,  specifying  the  device  name  implies  a unique 
target  process. 

In  order  to  support  the  host  interface,  several  kernel  data 
areas  are  associated  with  each  device,  represented  by  a 
collection  of  V-functions.  These  are: 

• device_status_area  - Area  used  by  the  SFEP  process  to 
transmit  device  status  information  to  the  host  process. 

• device_control_area  - Area  used  by  the  host  process  to 
provide  device  control  information  to  the  SFEP  process 
(e.g.,  change  translation  table). 

• message  queue  - Area  used  by  the  SFEP  process  to  send 
messages  to  its  associated  host  process. 

In  addition,  each  device  has  a data  area  or  buffer  in  user 
space  whose  location  is  specified  to  the  kernel  when  data  is 
to  be  sent  to  the  host  process  or  when  data  is  to  be  received 
from  the  host. 

The  following  SFEP  kernel  functions  are  included  in  the  host_ 
interfaces  module  to  support  the  host  interface: 

• send_message  - Allows  the  user  to  transfer  a data  buffer 
(i.e.,  message)  to  its  associated  host  process. 

• receive_message  - Allows  a user  to  specify  a data  buffer  to 
receive  a data  message  from  its  associated  host  process. 
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read_control_data  - Allows  a user  to  read  the  device 
control  table  set  by  the  host  process. 

• write_status_data  - Allows  a user  to  transfer  device 
status  information  to  its  associated  host  process. 

• send_wake-up  - Allows  a user  to  send  a message  to  its 
associated  host  process  via  its  message  queue.  This 
function  is  analogous  to  the  wake-up  function  which  sup- 
ports SFEP  inter-process  communication. 

• send_host_signal  - Allows  a user  to  interrupt  the  host 
process  to  receive  immediate  attention.  This  function  is 
intended  to  support  a device  "QUIT"  mechanism. 

5.0  REFERENCES 
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June  1976. 

3.  Detail  Specification  for  the  Security  Protection  Module 
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INTERFACE  SCOMP_kernel 
( c I ock ) 

(access.! eve  I s > 

(processes  WITHOUT  dispatch 

wake 

advanc  e_vi r t ua l_c I ock ) 

(volumes) 

(quota_cells  WITHOUT  set_quota 

change_qc_ref s 
change_qc_pages_used 
set_quota_ce I l_l imit ) 


(segments  WITHOUT  read 

write 

a I I ocate_page 
dea I I ocate_page 
add_page_to_free_l ist 
remove_page_f rom_f ree_ I ist 
change_wire_count 
set_page_used_l ndicat  or 
set_page_indlcators ) 

(devices  WITHOUT  set_dev 1 ce_acti ve 

wri te_device 
ass i gn_dev ice 
rel ease_device) 


(address.spaces  WITHOUT  Ini t_address_space 

pur  ge_address_space 

revoke_vol_access 

rese  t_device_used_ind lea tor 

reset_device_modi fled_l ndicat  or 

dec  remen t_seg_io_count 

set_leve I 

dispatch_l evel 

change_l eve  I ) 


(host.inter faces) 
) 
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MODULE  clock 


DECLARATIONS 
INTEGER  time? 


FUNCTIONS 

VF UN  read_rea!_clock()  ->  time? 

Mreturns  the  value  of  the  system-wide  real 
INITIALLY  time  = Ot 

OFUN  advance_rea I cl ock< ) ? 

$(advances  real  time  clock  one  time  unit) 
EFFECTS 

* read_r ea I _c I ock ( ) = read_rea l_c I ock ( ) + 1 

OV  FUN  ge  t_uid ( ) ->  time? 

$(generates  a unique  identifier) 

DELAY  UNTIL  read_rea I _c I ock ( I > h_last_uid() 
EFFECTS 

time  = read_rea I _c I ock ( ) * 

• h_ las t_ui d ( ) = time! 

VF  UN  h_last_uld<)  ->  time* 

t (returns  last  unique  identifier  generated) 

hidden; 

INITIALLY  time  = 0? 
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time  cl ock ) 


END_M0  DULE 
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MOOULF  access_l eve  I s 


TYPES 

I e ve  I .number  t CINTEGER  I n i 0 <=  In  ANO  In  <=  max.InK 
category.set  » CVECTOR.OF  BOOLEAN  cs  » LENGTH(cs)  = cs.sizeT? 
secur i ty_ I eve  I * STRUCT  ( I eve  I _n umber  sin? 

category_set  scs)? 
integr  ity.leve  I t STRUCT  ( I eve  I .number  iln? 

category.set  ics)? 

access.level  t STRUCT  ( securi t y_ I eve  I si? 

integrity. leve I II)? 


DECLARATIONS 

access.level  sub.al,  ob.a I ? 
INTEGER  i ? 

800LEAN  b,  trusted? 


PARAMETERS 

level.number  max.ln  S(maximum  level  number)? 
INTEGER  cs.size  $(category  set  size)? 


FUNCTIONS 

VFUN  h.r ead.a I I owed ( trus ted ? sub.al ? ob.a I ) *>  b? 

Kreturns  true  if  sublect  can  reed  object) 

HIOOEN? 

DERIVATION  sub.a I . s I . s I n >=  ob_al.sl.sln  ANO 

( sub.a  I . i 1 . 1 I n <=  ob_al.il. iln  OR  trusted)  ANO 
(FORALL  i : i >=  1 ANO  i <=  cs.size  J 
( ob.a I . s I . scsli 1 =>  sub.a I . s I . scsl i 1 ) ANO 
( ( suo.a I . i I . icst i J =>  ob.a I . i I . Ics I i 1 ) OR  trusted))? 

VFUN  h.wri te.a 1 1 owed! trusted?  sub.al?  ob.al)  ->  b? 

Kreturns  true  if  subject  can  write  object) 

hidden; 

DERIVATION  ( sub.a I . s I . s I n <=  ob.al. si. sin  OR  trusted)  ANO 
sub.a I . i 1 . 1 I n >=  ob.al. II. iln  AND 
(FORALL  i : i >=  1 ANO  i <=  cs.size  * 

( (sub.al .s I .scst i 1 =>  ob.al .si .scsli 1 ) OR  trusted)  AND 
( ob.a 1 . 1 1 . icst i 1 =>  sub.a I • 1 I . icsl i 1 ) ) ? 

VFUN  h.read.wr ite.a 1 1 owed( trusted?  sub.al?  ob.al)  ->  b? 

S (returns  true  if  subject  can  read  and  write  object) 

HIDDEN? 
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DERIVATION  h_read_a I 1owed(trusted»  sub_ai;  ob_a I > ANO 
h_wr i te_a I I owe d( t rus t ed » sub_a I * ob_al)» 


ENO_MODULE 
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MODULE  processes 


TYPES 

I eve  l_rujmber  t CINTEGER  In  » 0 <=  In  AND  In  <=  max.lnj? 
cate gory_se t « CVECTOR_OF  BOOLEAN  cs  I LENGTH(cs)  = cs_size>? 
securi ty_ I e ve l t STRUCT  ( I eve l_n umber  sin? 

category_set  scs)? 
in  t egr  i ty_  leve  I I STRUCT  ( I eve  I .number  lln? 

category_set  ics)? 

access_l eve  I : STRUCT  ( secur i t y_ I eve  I si? 

Inte  gr 1 ty_ leve  I II)? 

process_ul d : INTEGER? 
message  i INTEGER? 

message_queue  I VECTOR_OF  message? 
process_state  : Crunnlng,  ready,  blockedJ? 

pr oc e ss _pr i or 1 t y t CINTEGER  or  t 0 <=  pr  ANO  pr  <=  max_pri orl tyj ? 
level  : CINTEGER  level  : 1 <=  level  ANO  level  <=  pl_size>? 


DECLARATIONS 

process_uid  proculd,  newproc,  target? 
access. I eve  I a I ? 
message  msg? 

mes s ag e_queue  msg_queue? 
process_priori ty  pr? 
level  I eve  I ? 
process_state  state? 

BOOLEAN  b? 

INTEGER  i,  n,  time,  delta_t,  rea I _t i »er_i d? 


PARAMETERS 

process_u!d  inlt ia  lizer_id  $( ini tial Izer  process  id)? 
process_uid  time_monitor  $(time  monitor  process  id)? 
level  signal_level  Jlprocess  signal  level)? 

INTEGER  ma x_proc esses  $(maxlmum  number  of  processes)? 

INTEGER  max_messages  $(maxlmum  size  of  process  message  queue)? 
INTEGER  max_prlorlty  $(maxlmum  process  priority)? 


DEFINITIONS 

BOOLEAN  no_process (procui d ) IS 

”h_proc_exists(procuid) ? 

BOOLEAN  wri te_not_a I I o ned ( procui  d ? al)  IS 

~b_wri  t e_a  I I owed(h_proc_  trusted  (procuid)  , h_proc_a  I (procui  d)  , a I ) ? 
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BOOLEAN  no_message ( proculd ) IS 

LENGTH (h_proc_msg_queue( proculd) ) = 0? 

BOOLEAN  inva I id_t Imer (n)  IS 

n <=  o; 

BOOLEAN  undef  ined_level (proculd?  level)  IS 

~h_level_handler_exists( procuidt  level ) ; 

BOCLEAN  no_real_t imer (proculd ) IS 

~h_proc_real _t 1 mer ( procu i d) * 


EXTERNALREFS 
FROM  clocK  I 

VFUN  read_rea I _c I ock ( ) ->  time? 

OVFUN  get_uid()  ->  proculd? 

FROM  access_leve I s t 

level_number  max_ln  $(maximum  level  number)? 

INTEGER  cs_s i ze  $(category  set  size)? 

V FUN  h_wr i t e_a I I owed( b ? al?  al)  ->  b? 

FROM  address_spaces  s 

level  pl_slze  $ (number  of  visible  activity  levels)? 
VFUN  h_l eve l_handl er_exi sts (procui d?  level)  ->  b? 
OFUN  ini t_address_space ( proculd) ? 

OFUN  pur ge_address_s pace ( procui d ) ? 

OFUN  dispatch_l e ve I ( procui d) ? 

OFUN  set  I eve  I ( procui d ? level?  b)? 


FUNCTIONS 

OVFUN  create_proc  (a  I ? b?  pOtprocuid)  ->  newproc? 
$ (creates  a new  process) 

EXCEPTIONS 

proculd  “=  ini t ia I izer_id ? 
h_proc_coun t ( ) = max.processes ? 

EFFECTS 

newproc  = EFFECTS.OF  get.uldO? 

• h_proc_ex i s ts ( newproc ) = TRUE? 

*h_proc_al (newproc)  = al? 
*h_proc_trusted(newproc)  = b? 
*h_proc_priori ty (newproc)  = pr ? 

EFFECTS_OF  ini t_address_s pace (reworoc) ? 

• h_proc_count ( ) = h_proc_c ount ( ) ♦ 1? 

OFUN  de I ete_proc ( targe t )[ procui d I ? 
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$(deletes  a process) 

EXCEPTIONS 

procuid  ~=  ini tlal izer_ld? 
no.process (target) ; 

EFFECTS 

* h_proc_count ( ) = h_proc_count ( ) - l? 
•h_proc_exlsts (target)  = FALSE? 

EFFECTS_OF  pur ge_address_s pace (t ar get ) ? 

VFUN  h_proc_exls  ts (procuid)  ->  p? 

^(returns  true  if  process  exists) 

H I ODEN  ? 

INITIALLY  b = FALSE? 

VFUN  h_proc_count ( ) ->  n? 

J (returns  number  of  existing  processes) 

HIODEN? 

INITIALLY  n = 0? 

VFUN  h_proc_a I ( procui d ) ->  al ? 

$ (returns  access  level  of  process) 

HIDDEN? 

INITIALLY  al  = ?? 

VFUN  proc_a I ()( procui d 1 ->  al? 

J(external  form  of  h_proc_a I ) 

DERIVATION  h_proc_a I ( procui  d) ? 

VFUN  h_proc_truste d(procul d)  ->  b? 

$ (returns  true  if  process  is  trusted) 

HIDDEN? 

INITIALLY  b = ?? 

VFUN  proc_trusted () I procui d]  — > b? 

$(external  form  of  h_proc_trusted) 

DERIVATION  h_proc_trus ted ( procui d) ? 

VFUN  h_proc_pr ior 1 ty ( procui  d)  ->  pr ? 

$ (returns  process  priority) 

HIDDEN? 

INITIALLY  pr  = ?? 

VFUN  proc_priority() [procuid]  ->  pr ? 

$ (externa  I form  of  h_proc_p  riori  ty ) 

DERIVATION  h_proc_prl ority( procuid) ? 

OFUN  se t_pr ior i ty ( t ar ge t ? pr) [ procui d ) ? 

$(sets  process  scheduling  priority) 

EXCEPTIONS 

no_orocess ( tar get ) ? 

writ e_not_a I lowed(proculd»  h_proc_a I ( targe t ) ) ? 
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EFFECTS 

•h_proc_prl orl ty ( target)  = IF  target  = procuid 

THEN  pr 

ELSE  IF  h_proc_pri ori ty (target)  < pr 
THEN  pr 

ELSE  h_proc_pri  ori  t y ( t ar ge  t ) ; 

OF  UN  dispatch(target) ? 

$(dispatches  a process) 

effects 

• h_proc_s t a te ( t ar ge t ) = running? 

EFFECTS_OF  di spatch_le vel  (target) ? 

VFUN  h_proc_s t at e ( pr ocul d ) ■*>  state* 

$ (returns  process  state) 

HIOOEN? 

INITIALLY  state  = ?? 

OFUN  wake ( tar  get ? msg)? 

$ (sends  a message  to  target  process 
message  is  lost  if  target  queue  full) 

OEFINIT IONS 

INTEGER  n IS  LENGTH ( h_proc_ms g_queue ( targe t )) ? 

INTEGER  m IS  IF  n = max_messages  THEN  n ELSE  n + 1? 

EFFECTS 

*h_proc_msg_queue ( target ) = VECTOR  (FOR  i FROM  l TO  m * 

IF  1 <=  n THEN  h_proc_msg_queue( target)! i 1 ELSE  msg)? 

*h_proc_state( target)  = IF  h_proc_state(target)  = running 

THEN  running  ELSE  ready? 

OFUN  wakeup(target?  msg) I procul d 1 ? 

$(externa!  form  of  wake) 

EXCEPTIONS 

no_process (target)  ? 

write_not_al I owed(procuid»  h_proc_a I (target)) ? 

EFFECTS 

EFFECTS_OF  wake(target.  msg)? 

OFUN  send_signal (target?  msg) t pr ocui d 1 ? 

$ (Interrupt  form  of  wakeup) 

EXCEPTIONS 

no_process (target ) ? 

write_not_a I lowed(procuid»  h_proc_al (target) ) ? 

EFFECTS 

EFFECTS_OF  se t _ I eve  I ( t arge t * s igna I _ I eve  I ♦ TRUE)? 

EFFECTS_OF  wake(target,  msg)? 

OV FUN  read_messages () I procuid 1 ->  msg_queue? 

$ (returns  contents  of  process  message  queue) 

EXCEPTIONS 

no_message (procuid) ? 
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EFFECTS 

msg_queue  = h_proc_msg_queue { procuid) ; 

*h_proc_msg_queue (procuid ) = VECTOR  (); 

OVFUN  b I ock { ) I procui d ] ->  msg_queue; 

Streturns  contents  of  process  message  queue 
If  queue  empty*  waits  for  message  to  arrive) 

DELAY_UNTIL  ~no_message ( procui d) * 

EFFECTS 

ros g_queue  = EFFECTS_OF  read_messages ( procui d)  * 

VFUN  h_proc_msg_queue (procuid)  ->  msg_queue* 

$ (returns  contents  of  process  message  queue) 
hiooen; 

INITIALLY  msg_queue  = VECTOR  (); 

OFUN  set_rea l_t i mer (de 1 1 a_t ; rea l_t i mer_i d;  I eve  I ) [ procui d ] ; 

® (sets  real  timer  to  wakeup  process  In  delta  t time  units) 
EXCEPTIONS 

inval id_tlmer(del ta_t) ; 

undef ined_l eve  I (procuid*  level ) * 

EFFECTS 

|h_real_t i mer ( procui d)  = delta_t  ♦ re ad_rea I _c lock ( ) * 
*h_rea l_t imer_msg_ ( procui d)  = rea I _ 1 1 mer_ld * 

’ h_rea I _t imer_ I eve  I ( procui  d)  = level* 

* h_proc_rea I _t 1 mer ( procui d)  = TRUE* 

VFUN  h_proc_real _tlmer (procuid)  ->  o; 

Ilreturns  true  if  process  has  real  timer) 
hiooen; 

initially  b=  false; 

VFUN  h_rea l_t 1 mer ( procuid)  ->  time; 

3 (returns  time  of  next  real  timer  wakeup  for  process) 

hiooen; 

INITIALLY  time  = ?; 

VFUN  read_real_timer ( ) (procuidJ  ->  time; 

$(external  form  of  h_rea I _t 1 mer ) 

EXCEPTIONS 

no_rea l_t I mer ( procui d)  5 
OERIVATION  h_rea I _t 1 mer ( procui d ) ; 

VFUN  h_real_ti me r_msg( procuid)  ->  rea l_t I mer_i d; 

Kretums  real  timer  wakeup  message) 

hiooen; 

INITIALLY  real _t lmer_ld  = ?; 

VFUN  h_rea I _t 1 mer_ level (procuid)  ->  level; 

$ ( returns  level  of  real  timer  handler) 

hioden; 
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INITIALLY  level  = ?? 

OFUN  rea I _t i mer_runout ( ) ? 

$(notifies  processes  of  re3l  timer  runout) 

EFFECTS 

FORALL  procuid  » h_proc_ex i sts (procui  d) 

AND  h_proc_real_t  imer  (procui  d) 

AND  h_rea l_t imer ( procuid)  - read_r eal _c I ocK ( ) J 
EFFEC TS_0F  wake ( procuid,  h_rea l_t  imer_msg ( procui d ) ) AND 
• h_oroc_rea I _t i mer ( proc ul d)  = FALSE  AND 

EFFECTS_OF  set_l eve  I ( procui d , h_rea 1 _t 1 me r_ I eve  I ( procui d) « TRUE)? 

VFUN  n_vi r t ua I _c I ock ( procui d)  ->  time? 

1 (returns  the  value  of  proc ess- 1 oc a I virtual  time  clock) 
hidden; 

INITIALLY  time  = 0? 

OFUN  advance_virtua I _c I ock ( procui d) ; 

S ( advances  virtual  time  clock  one  time  unit) 

EFFECTS 

* h_virtua  l_c  I ock  ( procuid  ) = h_v  1 rtua  l_c  I ock  ( procui  d)  ♦ 1» 

VFUN  read_vlrtual_cl ock (target) t procuid)  ->  time? 

$(external  form  of  h_virtua l_c I ock ) 

EXCEPTIONS 

procuid  ~ = t i me_mon i tor; 
no_process ( tar  get) ; 

DERIVATION  h_v i r t ua I _c I ock ( t ar ge t > ; 


END_MOOULE 
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MODULE  volumes 


TYPES 

level_r,umber  * CINTEGER  I n 1 0 <=  In  AND  In  <=  max_ln>; 
cate gory_se t » CVECTOR_OF  BOOLEAN  cs  : LENGTH(cs)  = cs_size>; 
secur i t y_ I eve  I t STRUCT  ( I eve  I _n umber  sin* 

category_set  scs); 
int egr * ty_l eve  I : STRUCT  ( I eve  I .number  iln? 

category_set  ics)  ? 

access_level  : STRUCT  (securi ty_l evel  si i 

lntegrity_ leve  I ll>; 

process_uld  : INTEGER? 
volume_uid  l INTEGER? 
cuota_ce I l_uid  t INTEGER? 


DECLARATIONS 

volume_uid  voluid? 
process_uid  procuid? 
quota_ce I I _ui d qcuid? 

access_level  min_al»  max_a I ♦ al,  from_al,  to_al? 
BOOLEAN  b? 

INTEGER  n? 


PARAMETERS 

INTEGER  volume_size  (number  of  pages  on  a volume)? 

INTEGER  ini t i a l_disc_dri ve_count ( a I ) $(initial  allocation  of  drives)? 
process_uid  in i t i a I i zer_i d {(volume  initializer  process  id)? 

INTEGER  max_vo!umes  {(maximum  number  of  volumes)? 

INTEGER  max_quota_ce I l_count  {(maximum  number  of  quota  cells  per  volume)? 


DEFINITIONS 

BOOLEAN  wri te_not_a I I owed ( procui d ? al)  IS 

~h_wr i t e_a I I owed(h_proc_  trus ted ( proc ui d) , h_proc_a I (procui  d)  , a I ) ? 

BOOLEAN  mount e d_v olume  (vol uld)  IS 
h_vol _moun ted ( vo I ui d) ? 

BOOLEAN  no_vo I ume (procuid?  voluid)  IS 

IF  “h_vo I _ex i sts ( vol ui d)  THEN  TRUE 

ELSE  “h_read_a I I owed( h_pr oestrus ted (procuid) « h_pr oc_a I ( procui d) » 

h_vo l_mln_a I (vo luid) ) ? 

BOOLEAN  unmounted_vol ume (vol ui d)  IS 
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IF  “h_vo I _moun ted ( vo I ui d ) HEN  TRUE 

ELSE  “h_read_a I I o we d(h_proc_ trusted (procuid) * h_proc_al (procui d) « 

h_vo !_min_a I (vol uid) ) ? 


BOOLEAN  no_disc_drive (al ) IS 

h_dri ve_count ( a I ) = 0? 

BOOLEAN  inva I i d_drl ve_coun t (n ) IS 
n < o? 

BOOLEAN  insuf  fici ent _dr 1 ves (a  I ? n)  IS 
h_dri ve_couot ( a I ) < n? 


EXTERNALREFS 
FROM  C I OCK  * 

OVFUN  get_ui d ( ) ->  voluid? 

FROM  access_leve I s « 

I eve  I _number  max_ln  {(maximum  level  number)? 

INTEGER  cs_s I ze  {(category  set  size)? 

V FUN  h_write_all o*ed(b?  al?  al)  ->  b? 

VFUN  h_read_a I I owed(b ? al?  al)  ->  b? 

FROM  processes  I 

VFUN  h_proc_a I (procui d)  ->  al? 

VFUN  h_proc_trusted(procuid)  ->  b? 

FROM  quota_cel I s « 

OVFUN  create_quota_ce  I I ( vol  uid?  al  ? aD(procuid)  -»  qcuid? 
OFUN  set_quota ( qcuid?  n) ? 

0 FUN  set_quota_ce I l_l 1 mi t (voluid?  n) ? 

FROM  address_spaces  » 

OFUN  revoke_vol_access(voluid?  procuid)? 


FUNCTIONS 

OVFUN  create_vol ume(mln_a I ? max_a I ) I procuid]  ->  voluid? 

$(creates  a new  volume) 

EXCEPTIONS 

procuid  ■“=  ini  t la  1 1 zer_ld  ? 
h_vol_count ( ) = max_vo!umes? 

EFFECTS 

voluid  = EFFECTS.OF  get_uld()? 

*h_vol _exists( vol ui  d)  = TRUE? 

* h_vol _min_a I ( vo I ui d)  = min_al? 

*h_vol_max_al (voluid)  = raax_al? 

EFFECTS_OF  se t_quo t a_ce 1 1 _ I i m 1 1 ( vo I ui d,  max_quota_ce 1 1 _coun  t) ? 
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• h_vo  l_ini  t_qc  ( vo  lul  d)  = EFFECTS_OF  create_quota_.ce  1 1 (voluid* 

mln_al»  min_al*  proculd)? 

EFFECTS_OF  set.quota (• h_vol_Tnit_qc (vol uid) , vol ume_sl ze) ? 

• h_vol _count ( ) = h_vol _count ( ) ♦ 1? 

OFUN  del ete_volume(voluld) [proculd] ; 
ttdeletes  a volume) 

EXCEPTIONS 

proculd  ”=  ini tial i zer_id ? 

*’h_vol  _exlsts(voluid)? 
moun  ted_vo  I ume  ( vo  I u 1 d)  ? 

EFFECTS 

* h_vol _ex i s t s ( vo!  ui  d)  = FALSE? 

* h_vol _count ( ) = h_vol _coun t ( ) - 1? 

VFUN  h_vol_exlsts (vol uid)  ->  b? 

$ (returns  true  It  volume  exists) 

hiqoen; 

INITIALLY  b = FALSE? 

VFUN  h_vo I _count ( ) ->  n? 

$(returns  number  of  existing  volumes) 

HIOOEN? 

INITIALLY  n = 0? 

VFUN  h_vol_min_al (voluid)  ->  mln_al? 

Slreturns  minimum  access  level  of  volume) 

HIOOEN? 

INITIALLY  min_a I = ?? 

VFUN  v o I _min_a I ( vo I ui d) [ pr ocul d]  ->  mln_al? 

$(external  form  of  h_vo I _mi n_a I ) 

EXCEPTIONS 

no_vo( ume (procuid*  voluid)? 

DERIVATION  h_vol_min_al (vol uid) ? 

VFUN  h_vol_max_al (vo luld)  ->  max_a I ? 

S(returns  maximum  access  level  of  volume) 

HIOOEN? 

INITIALLY  max_a I = ?? 

VFUN  vol_max_a I (voluid) t proculd]  -»  max_al? 

$(external  form  of  h_vol _max_a I ) 

EXCEPTIONS 

no_vo I ume ( proculd*  voluid)? 

DERIVATION  h_vo I _max_a I ( vol ui d ) ? 

VFUN  h_vo I _ in i t_qc ( vo I uid)  ->  qculd? 

I (returns  initial  quota  cell  id  for  volume) 

HIDDEN? 

INITIALLY  qculd  = ?? 
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VF UN  vol _ini t_qc ( vol ul d ) t procul d 1 ->  qcuid? 

$(external  form  of  h_vol_inl t_qc ) 

EXCEPTIONS 

no_vo I ume ( procul d»  voluid); 

DERIVATION  h_vo I _ini t_qc ( vo  luid) ? 

OF UN  moun t_vo lume(voJuid)tprocuid]; 

$ (mounts  a volume  on  a disc  drive) 

EXCEPTIONS 

no_vol ume (procuid*  voluid); 
mounted_vo lume(voluid) ? 

wri  te_not_a  I lowedlprocuid*  h_vol_mln_a  I ( vo  I ui  d ) ) ? 
no_dlsc_dr i ve ( h_vo I _mi  n_a I ( vo  I ui  d)  ) ; 

EFFECTS 

* h_vo I _moun t ed ( vo  lu i d)  = TRUE? 

*P_drl ve_count (h_vo l_mln_al(voluid))  = 

h_drlve_count(h_vol_min_a I ( voluid)  ) - l? 

OF UN  demount_volume(voluid)(proculd]? 

$(demounts  a volume  from  a disc  drive) 

EXCEPTIONS 

unmoun ted_vo I ume ( procul d»  voluid) ; 

wr i t e_not_a I lowed(proculd,  h_vol_mln_a I (voluid))  * 

EFFECTS 

• h_vol .mounted ( vo lu id)  = FALSE? 

• h_dri ve_count ( h_vo I _min_a I ( vo lul d) ) = 

h_dr 1 ve_count ( h_vo I _ml n_a I ( vo I ul  d ) ) * 1? 
EFFECTS_OF  revoke_vo I _acc ess ( vo  I ui  d,  procuid)? 

VFUN  h_vol_mounted (vol uid)  ->  b? 

$ (returns  true  If  volume  Is  mounted) 

hidoen; 

INITIALLY  b = FALSE? 

VFUN  h_drive_count (a  I ) ->  n? 

t (returns  number  of  available  disc  drives  at  assigned  al) 

hioden; 

INITIALLY  n = 1 n 1 1 1 a I _di sc_dri ve_coun t ( a I ) ? 

OFUN  change_drive_count ( f rom_a I ? to_al?  nllprocuidl? 

{(changes  access  level  distribution  of  free  disc  drives) 
EXCEPTIONS 

procuid  ~=  1 n 1 1 i a I i zer_l  d ? 

Inval i d_dr 1 ve_count  (n) ? 

insuf f lclent_dr 1 ves ( f rom_a I » n)? 

EFFECTS 

•h_dri ve.count ( f rom_al ) = h_drl ve.count ( from_a I)  - n? 

• h_drl ve_c ount ( t o_a I ) = h_dri ve_count (to_al ) ♦ n? 
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MODULE  quota_ce I I s 


TYPES 

level  number  t CINTEGER  In  i 0 <=  In  AND  In  <=  max.InT? 
ca  tegory.se t * CVECTOR.OF  BOOLEAN  cs  » LENGTH(cs)  = cs_slze>? 
securi ty_l eve  I I STRUCT  ( I eve  I _n umber  sin? 

category_set  scs)? 

In  t egr i ty_l eve  I : STRUCT  ( I eve  I .number  iln? 

category.se t lcs)? 

access. level  » STRUCT  ( securi ty_ I eve  I si? 

in t egr i t y_ I e ve  I ill? 

proces s_ui d i INTEGER? 
vo 1 ume.ui d I INTEGER? 
quo t a.ce I I _ui d I INTEGER? 


declarations 

process.uid  proculd? 
vo  I ume.ui d voluid? 

quota.ce I I _ui  d qcuidt  from.qcuidt  to.qcuid? 
access. level  alt  valt  f rom.a I t t o.a I » 
INTEGER  npagest  n? 

BOOLEAN  b? 


DEFINITIONS 


BOOLEAN  unmoun te d_vo I ume ( pr oc ui d ? voluid)  IS 
IF  ~h_vo I _moun t ed ( vo  I ui  d ) THEN  TRUE 

ELSE  ~h.read.al I owed( h.proc.trus ted ( procui d) , h.oroc.al (proculd) t 

h_vol_min_a I ( vo I ui d) ) ? 

BOOLEAN  outs  ide.vo I .1 evel s ( vo I ul d ? val?  al)  IS 

~h_wr i t e.a I I o wed ( F ALSE t n.vo l.min.a I ( vo I ui d) t val)  OR 
"h.wrlte.al lowed(FALSEt  alt  h.vo l.max.a I (vol uid) ) ? 

BOOLEAN  unordered.access.l eve  I s( va I ? al  ) IS 
~h  wr 1 1 e.a I I o wed ( F ALSE t valt  al  ) ? 


BOOLEAN  read.not.al I owed ( procui d ? al  ) IS 

“h  read.a I I o we d(h_proc .trusted! procuid) t h.proc.a  I ( procui  d ) , 


a I ) ; 


BOOLEAN  wrl  te.not.a  I I owed(  procui  d ? al)  IS 

“h.wri te.al I owed ( h.proc. tr us  ted ( procuid) « 


h.proc.a I ( procui d) t al)? 


BOOLEAN  read.wri te.not.a I I owed (procuid?  al)  IS 

~h_read.wri te.al 1 owed ( h.proc. trusted (procuid) T h.oroc.al (procuid) t 

al  ) ? 
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BOOLEAN  no_quota_ce1 I ( procuid ? voluid?  qcuid)  IS 
IF  ~h_qc_exi s ts (vo I ui  d,  qcuid)  THEN  TRUE 

ELSE  ~h_read_allowed( h_proc_t rus  t ed (procuid)*  h_pr  oc_a  l(proculd)* 

h_qc_vlslbi I ity_a1 (qcuid)) ? 

BOOLEAN  non_zero_quot a (qcui d)  IS 
b_qc_pages (qcuid)  “=  0; 

BOOLEAN  non_zero_refs (qcuid)  IS 
h_qc_ref s(qcuid)  "=  0? 

BOOLEAN  inva I i d_quo ta_change ( npa  ces ) IS 
npages  < 0? 

BOOLEAN  insuf f ic i ent.quota (qcuid ? noages)  IS 

h_qc_pages (qcuid)  - h_qc_pages_used ( qcui d)  < npages? 


EXTERNALREFS 
FROM  clock  I 

OVFUN  get_ui d ( ) ->  qcuid? 

FROM  access.levels  * 

level_number  max_ln  $(maximum  level  number)? 
INTEGER  cs_s i ze  $(category  set  size)? 

V FUN  h_r ead_a I I o wed ( b ? ai:  al)  ->  b? 

V FUN  h_wr i t e_a I I owed( b ? al?  al)  ->  b? 

V FUN  h_read_write_al I owed(b?  al?  al)  ->  b? 

FROM  processes  » 

VFUN  h_proc_al (procuid)  ->  al? 

V F UN  h_proc_trus ted( pr ocui d ) ->  b? 

FROM  volumes  I 

VFUN  h_vol_mour>ted(voluid)  ->  b? 

VFUN  h_vol_min_al (voluid)  ->  al? 

VFUN  h_vol_max_al (voluid)  ->  al ? 


FUNCTIONS 

OVFUN  create_quota_ce I I (voluid?  val ? aDtprocuid!  ->  qcuid? 
$(creates  a new  quota  cell) 

EXCEPTIONS 

unordered_access_l evel s (va I * al)? 

wr i t e_not_a I I owed ( procui d * val)? 

unmoun ted_vo I ume ( procu i d»  voluid) ? 

outsi de_vo ) _l eve  I s ( vol ui d*  val*  a!)? 

h_qc_c oun t (voluid*  val)  = h_qc_l imit ( vo luid*  val)? 
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EFFECTS 

qcuid  = EFFECTS.OF  get_uid(>? 

•h_qc_vlsibi I i ty_a I ( qcuid)  = val  ? 

* h_qc_a I ( qcui d ) = al? 

•h_qc_exi s ts ( vo I ui d*  qcuid)  = TRUE* 

*h_qc_count (voluid,  val)  = h_qc_count ( vo I ui d*  va I ) ♦ 1? 


OFUN 


dele te_quot a_ce I I (voluid?  qcuid) fprocuidl * 
$(deletes  a quota  cell) 


EXCEPTIONS 

unmount ed_vo lumelprocuid,  voluid)? 
no_quota_ce I I ( procuid*  voluid*  qcuid)? 

wri te_not_a I I owed ( proculd  * h_qc_visib i I i ty_a I ( qcui d ) ) ? 
read_not_a I lowed! procuid,  h_qc_a I { qcuid) ) ? 
non_zero_quota ( qcui d) ? 
non_zero_re f s ( qcui d ) ? 


EFFECTS 

•h_qc_exists( vo luid* 
*b_qc_count (voluid* 


qcui d)  = FALSE? 
h_visibi I lty_al (qcuid) ) = 

h_qc_count (voluid*  b_v isibil lty_al (qcuid)) 


1*, 


VFUN  h_qc_count(voluid?  al)  ->  n? 

{(returns  number  of  quota  cells  for  volume  at  given  al) 

HIOOEN? 

INITIALLY  n = 0? 

VFUN  h_qc_exists  (vol  uid?  qcuid)  ->  t>* 

$ (returns  true  if  quota  cell  exists) 

HIOOEN? 

INITIALLY  b = FALSE? 

VFUN  h_qc_vlsibl I 1 ty_al (qcuid ) ->  al  » 

{(returns  access  level  of  quota  cell  visibility) 

HIOOEN? 

INITIALLY  a)  = ?? 

VFUN  qc_visibl llty_al (voluid?  qcuid ) C proculd 1 ->  al? 

$ (external  form  of  h_qc_vls ibl I 1 ty_a I ) 

EXCEPTIONS 

unmoun  ted_volume( proculd*  vol uid) ? 
no_quota_cel I (procuid*  voluid,  qcuid)? 

DERIVATION  h_qc_visibi I i ty_a I (qcuid) ? 

VFUN  h_qc_a I (qcuid)  ->  al? 

$ (returns  access  level  of  quota  cell) 

HIDDEN? 

INITIALLY  al  = ?? 

VFUN  qc_al (voluid?  qcuid) ( procui d 1 ->  al? 

$ (external  form  of  h_qc_al) 

EXCEPTIONS 
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unmoun  ted_vo lume(proculd*  voluld); 
no_quota_cel  I ( procul  d»  voluld*  qculd) ; 

DERIVATION  h_qc_a I (qculd) ; 

OFUN  se t_quot a ( qcui d ? npages) « 

$(sets  quota  of  quota  cell 

used  only  to  Initialize  first  auota  cell  on  a volume) 
EFFECTS 

* h_qc_pages ( qcui d)  = npages; 

OFUN  mo ve_quo t a ( vo I u i d ? from_qcuid;  to_qculd;  npages ) t proc uld ] ; 

S (moves  page  quota  from  one  quota  cell  to  another) 

EXCEPTIONS 

inval 1 d_quo t a_change (npages) ; 

unmoun  t ed_vo 1 ume(procuid*  voluld); 

no_quo t a_ce I I { procul d»  voluld*  from_qcuid) ; 

ho_quota_.ee  I 1 ( procui  d*  voluld*  to_qculd); 

r ead_wr 1 te_not_a I I owed ( procul d » h_qc_a I (from, qculd) ) ; 

wri t e_not_a I lowed(proculd*  h_qc_a I (to_qcul d) ) ; 

insufficient_quota( f rom_qcui d,  npages)* 

EFFECTS 

* h_qc_pages ( f rom_qcuid ) = h_qc_pages ( f rom_qcul d)  - npages; 
*t'_qc_pages  ( to_qcul  d)  = h_qc_pages  ( to_qcui  d)  *■  npages* 

VF UN  h_qc_pages ( qcui d ) ->  npages; 

t (returns  page  quota  for  quota  cell) 

hioden; 

INITIALLY  npages  = 0* 

VFUN  qc_pages ( vo I ui d;  qcui d) t proc ul d ) ->  npages; 

{(external  form  of  h_qc_pages) 

EXCEPTIONS 

unmounted_volume(procuid*  voluld) ; 
no_quota_ce I I ( procul d*  voluid*  qculd); 
read_not_al I owed ( procul d*  h_qc_a| (qculd) ) ; 

DERIVATION  h_qc_pa ge s ( qc ui d ) * 

VFUN  h_qc_refs (qculd)  ->  n* 

{(returns  quota  cell  reference  count) 

hidden; 

INITIALLY  n = o; 

VFUN  qc_re  f s ( vo  I u 1 d*  qcui  d ) I proc  ul  d ) ->  n; 

{(external  form  of  h_qc_refs)? 

EXCEPTIONS 

unmoun ted_vo !ume(procuid*  voluld); 
no_quo  t a_c  e I I ( proc  ul  d*  voluid*  qculd); 
r ead_not_a I I owed ( procui d*  h_qc_al (qculd) ) ? 

DERIVATION  h_qc_refs (qculd) ? 

OFUN  change_qc_re fs(qculd;  n) ; 
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$(changes  quota  cell  reference  count) 

EFFECTS 

*n_qc_refs (qcuid)  = h_qc_re f s (qcui d)  ♦ n? 

VFUN  h_qc_pa ges_used ( qcui  d)  ->  npages; 

$(returns  pages  used  within  page  quota  for  quota  cell) 

hioden; 

INITIALLY  npages  = 0? 

VFUN  qc_pages_used ( vo I uid*  qcui d ) I pr ocui d ] ->  npages? 

$ (external  form  of  h_qc_pages_used ) 

EXCEPTIONS 

unmoun  t ed_vo I ume(procuid,  voluid); 
no_quota_ce I I ( procui d,  voluid,  qcuid)* 
r ead_no t_a I lowed(procuid»  h_qc_a I ( qcuid ) ) * 

DERIVATION  h_qc_pages_used( qcui d ) ; 

OFUN  change_qc_pages_used (qcuid*  npages); 

$(changes  pages  used  for  quota  cell) 

EFFECTS 

*h_qc_pages_used(qcuid)  = h_qc_pages_used ( qcui d)  ♦ npages? 

OFUN  se t_quot a_ce I I _l i mi t ( vo I ui d ; n) ; 

$(sets  quota  cell  limit  for  volume 

used  only  to  initialize  first  auota  cell  limit  on  a volume) 
EFFECTS 

*o_qc_l imi t ( vo I ui d,  h_vol_min_al (voluid) ) = n* 

VFUN  h_qc_l 1 mi t ( vo I u id  * al)  ->  n* 

Kreturns  quota  cell  limit  for  volume  at  given  al) 

hidden; 

INITIALLY  n = O; 

OFUN  change_quota_ce I l_ I im i t ( vol uid?  from_ai;  to_al?  nHprocuidl? 

$ (moves  quota  for  quota  cells  from  one  access  level  to  another) 
EXCEPTIONS 

inva I id_quota_change (n ) ; 
unmoun ted_vo lume(procuid,  voluid); 
r ead_wr i t e_not _a llowedfprocuid,  from_al); 
write_not_al lowedtprocuid*  to_al ) ; 

h_qc_l i mi t ( vo I ui d,  from_al)  - h_qc_coun t ( vo I u i d,  from_al)  < n 
EFFECTS 

*h_qc_l imit (vol uid*  from_al)  - h_qc_ I imi t ( v o I ui d » from_al)  - 
*f>_qc_l  imi  t ( vol  uid,  to_al  ) = h_qc_l  imit  (vol  ui  d,  to_al)  n; 
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MOOULE  segments 


TYPES 

level _number  * CINTEGER  I n * 0 <=  In  ANO  In  <=  max_ln>? 
ca  tegory_set  : CVECTOR_OF  BOOLEAN  cs  : LENGTH(cs)  = cs_size>? 
securi t y _ I eve  I : STRUCT  ( I eve  I .number  sin? 

category_set  scs)? 
in t egr i ty_ I eve  I * STRUCT  ( I evel _number  iln? 

category_set  lcs)? 

access_level  * STRUCT  ( secur 1 1 y_ I eve  I si? 

integr ity_ leve I i!)? 

process_uid  I INTEGER? 
volume_uid  1 INTEGER? 
quota_ce II _ui d * INTEGER? 
segment_uid  tINTEGER? 

segment_of f set  t CINTEGER  so  l 0 <=  so  ANO  so  <=  max.offsetl? 
page_number  t CINTEGER  pn  I 1 <=  pn  ANO  on  (max_otfset  ♦ l ) /page_si zel » 
core_address  * CINTEGER  addr  * 0 <=  addr  ANO  addr  <=  max_c ore_addr ess> ? 
f ree_page_l 1st  I VECTOR.OF  core.address ? 

segment  length  t CINTEGER  length  t 1 <=  length  ANO  length  <=  max_offset 

♦ 11? 

me m or y_ut i I lzation_data  * STRUCT  (segment_uld  seguid? 

page_number  pageno? 
core_address  addr? 

BOOLEAN  used? 

BOOLEAN  modified)? 

memory_ut i I iza t i on_da t a_ list  : SE T_OF  memory_ut i 1 1 za t ion_da ta ? 

page_data  t STRUCT  (segment_uld  seguid? 

oage_number  pageno) ? 
pa ge_data_ list  » SET_OF  page_data? 
machine_word  t INTEGER? 

se  gmen  t_number  • CINTEGER  sn  t 0 <=  sn  AND  sn  <=  max_segnol? 


DECLARATIONS 

process_uid  proculd? 
volume_uld  voluld? 
quo t a_ce I I _ui d qcuid? 
segment_uid  seguid? 
access_level  at*  val? 
segment_of f set  offset? 
page_number  pageno? 
core_address  core_address? 
segmen t_l ength  length? 
machine_word  word? 
f ree_page_l ist  free_llst? 
memory_uti I izat I on_da ta  mem_data? 
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me  mory _ut i 1 1 za  1 1 on_da t a_l 1st  mem_list? 
page_data_ I is t page_list? 
se gmen t_number  segno? 

INTEGER  it  page_request_count , npages,  n? 
BOOLEAN  b? 


PARAMETERS 

process_ui d memory_manager  S ( memory  manager  process  id)? 
se  gmen  t_o  f f se t max_offset  $(maximum  segment  offset)? 

INTEGER  page_size  $(number  of  words  in  a page)? 

core_address  max_core_addr ess  $(maximum  allowable  memory  address): 
INTEGER  min_f r ee_page_count  $(mlnimum  number  of  free  pages)? 
free_page_l ist  ini t_f ree_l 1st  $(free  pages  in  memory  Initially)? 
core_address  in i t_core_address ( s egu i d ) {(initial  address  of  unpaged 

segments) ? 


DEFINITIONS 

BOOLEAN  unmoun ted_vol ume ( proculd ? voluid)  IS 
IF  "h_vol_mounted(voluld)  THEN  TRUE 

ELSE  ~h_r ead_a I lowed(h_proc_trusted(proculd) t n_proc_al fprocuid) , 

h_vol_min_al (voluid) ) ? 

BOOLEAN  no_quota_cel I ( procuid?  voluid?  qculd)  IS 
IF  ~h_qc_exi s t s ( vo I ui d,  qcuid)  THEN  TRUE 

ELSE  ~h_read_a I I owed ( h_proc_  trus  ted ( procui d) t h_pr  oc_a I ( pr  ocui d) t 

h_qc_visibl  lity_al(qcuid))? 

BOOLEAN  outslde_qc_leve Is ( qcuid?  val)  IS 

~h_write_al lowed(FALSEt  h_qc_visibi  1 1 ty_al  (qcuid)  , val)  OR 
“h_wr i te_a I I owed(FALSEt  valt  h_qc_al  (qcuid) ) ? 

BOOLEAN  wri te_not_a 1 1 owed ( procui  d ? al)  IS 

~h_write_al I owed ( h_proc_ trus ted ( procui d ) « h_proc_a I (procuid) t al ) ? 

BOOLEAN  no_segment (procuid?  voluid?  seguid)  IS 

IF~“h_seg_ex ists(vol uid,  seguid)  THEN  TRUE 

ELSE  ~h_read_al I owed ( h_oroc_ trus ted ( procui d)  , h_pr oc_a I (procui d) t 

h_seg_v lsibility_al (seguid)) ? 

BOOLEAN  read_not_a I I owed( procuid ? al)  IS 

*h_read_a ||owed(h_proc_trusted(procuid)t  h_proc_al(procuid)t  al)? 

BOOLEAN  page_quota_overf I ow (qcui d?  npages)  IS 

h_qc_pages ( qc ui d)  - h_qc_pa ges_used ( qcui  d ) < npages? 


EXTERNALREFS 
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FROM  clock  » 

OVFUN  get_uid()  ->  seguid; 

FROM  access_l e ve I s s 

level_number  max_ln  $(maximum  level  number); 

INTEGER  cs_size  $(category  set  size); 

VFUN  h_read_all owed(b;  ai;  al)  ->  b; 

V FUN  h_write_al I owed(b!  al!  al)  ->  b! 

FROM  processes  * 

VFUN  h_proc_exis ts ( procui d)  ->  b; 

VFUN  h_pr oc_a I ( procui d ) ->  al! 

VFUN  h_proc_trusted(proculd)  ->  b; 

OFUN  wake (procui d;  page_request_count ) ; 

FROM  volumes  S 

VFUN  h_vo I _mi n_a I ( vo I ui d ) ->  al! 

VFUN  h_vo  I ..mounted  ( vo  I ui  d)  ->  b! 

FROM  quota_cells  J 

VFUN  h_qc_exlsts(voluid;  qculd)  ->  b; 

VFUN  h_qc_visibi lity_al (qcuid)  ->  al ! 

VFUN  h_qc_a I (qcui d)  ->  at; 

OFUN  change_qc_refs(qcuid!  i); 

OFUN  change_qc_pages_used(qcuid!  i)! 

VFUN  h_qc_pages ( qcui d)  ->  npages! 

VFUN  h_qc_pages_used ( qcui d)  ->  npages* 

FROM  address_spaces  t 

segment_number  max_segno  ^(maximum  segment  number)! 
VFUN  h_kst_segui d(procuid?  segno)  ->  seguid! 

VFUN  h_kst_seg_io_count(procui  d!  segno)  ->  i! 

VFUN  h_kst_va I id (procuid!  segno)  -»  b; 


FUNCTIONS 

OVFUN  create_seg ( vo I ui d!  qcuid!  vai;  length) t procuid ) -> 
$ (creates  a new  segment) 

DEFINITIONS 

INTEGER  n IS  (length  - l ♦ page_si ze ) /page_si ze! 
EXCEPTIONS 

unmounted_vol ume( procuid*  voluid) 
no_quota_ce I I ( procuid*  voluid*  qcuid); 
ou tsi de_qc_1 eve  I s ( qcuid,  val)! 
writ e_not_a I lowed(procuid,  val)! 
page_quota_over f I ow ( qcui d * n) ! 

EFFECTS 

seguid  = EFFECTS_OF  get_uid()! 

* h_seg_exists( voluid*seguid)  = TRUE! 


se  gul d! 
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• h_seg_qc (seguld)  = qcuid? 

* h_seg_vl s Ibi 1 1 1 y_a I (se gu 1 d)  = val? 

EFFECTS_OF  chan ge_qc_re f s ( qcu 1 d , 1); 

EFFECTS_OF  change_qc_page s_used( qcuid t n)  ? 

• h_seg_ I engt h ( segul d)  = length* 

• h_seg_paged ( segul d ) = TRUE? 

OFUN  delete_seg(vol uid?  segul d) l proculd 1 5 
$(deletes  a segment) 

EXCEPTIONS 

unmoun  t ed_vo I ume  ( proculd*  woluld)* 
no_segment (proculd*  voluld*  seguld)? 

*r 1 t e_not_a I lowedlprocuid*  h_seg_v isibllity_al (seguld) ) ? 

DELA Y_UNT IL  FORALL  prcc  I h_proc_e x 1 s ts ( proc ) * 

(FORALL  segno  : h_ks t_va I id ( proc * segno)  AND 

h_kst_segul d( proc * segno)  = seguld  : 
h_ks t_se g_i e_c ount ( proc * segno)  - o)? 

DEFINITIONS 

INTEGER  n IS  ( h_seg_l engt h (se gui d)  - 1 ♦ page_si ze ) /page_s lze ? 
quota_ce I l_ul d qcuid  IS  h_seg_qc (seguid) ? 

EFFECTS 

* h_seg_exi s ts ( vol ui d*  seguid)  " FALSE? 

EFFECTS_OF  change_qc_re f s ( qcu i d,  -1)? 

EFFECTS_OF  change_qc_pa ge s_used( qcuid , -n) ? 

IF  h_seg_paged(seguid) 

THEN  FORALL  i » 1 >=  1 AND  i <=  n l 

EFFECTS_OF  dea II ocat e_page ( segul d,  1) 

ELSE  FORALL  1 » 1 >=  0 ANO  1 < n I 

EFFECTS_OF  add_page_to_tree_ I 1st (h_seg_core_address(seguld) 

♦ i*page_slze ) ? 


OVFUN  read(seguid?  offset)  ->  word? 

$(reads  a word  of  a segment) 

DEFINITIONS 

INTEGER  n IS  (offset  ♦ page.slze) /page_slze ? 

EFFECTS 

h_seg_paged (seguld)  =>  EFFECTS_OF  a I I ocate_pa ge( s eguid , n)  ANO 

*h_seg_page_used(segui d»  n)  = TRUE? 
word  = h_seg_contents(seguld*  offset)? 

OFUN  wr 1 te (segul d ? offset?  word)? 

$(wrltes  a word  of  a segment) 

DEFINITIONS 

INTEGER  n IS  (offset  ♦ page_s lze) /page.slze ? 

EFFECTS 

h_seg_paged (seguld)  =>  EFFECTS_OF  a I I ocate_pa get seguid * n)  AND 

*h_se g_page_used(segul d,  n)  = TRUE  ANO 
• h_seg_page_modi f led (s eguid*  n)  = TRUE? 
•h_seg_contents(seguid*  offset)  = word? 

OFlN  a I I ocate_page (seguid?  pageno)? 
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S(al  locates  main  memory  page  to  segment) 

EFFECTS 

“H_seg_page_i n_core ( segul  d * oageno)  => 
*H_seg_page_core_address(seguid,  pageno)  = 

EFFECTS_OF  remove_p3ge_f rom_free_l 1st ()  ANO 
' O_seg_page_in_core(seguld,  pageno)  = TRUE? 

OFUN  deal  I oca t e_page ( segul d ? pageno)* 

t (deal  I ocates  segment  page  from  main  memory) 

EFFECTS 

H_seg_page_in_core(seguld,  pageno)  => 

EFFFCTS_OF  add_page_to_f r ee_l 1 st ( h_se  g_page_core_ad dress ( 

seguld*  pageno)) 

AND  * n_seg_page_ln_core (s eguid,  pageno)  = FALSE? 

VF UN  h_se g_exl st s ( vo I uid ? seguld)  -»  b? 

$ (returns  true  if  segment  exists) 

HIDDEN? 

INITIALLY  b = FALSE? 

VFUN  h_se g_v i s ib i 1 1 1 y_a I. ( segul d)  ->  al? 

$ (returns  access  level  of  segment  creator) 

HIOOEN? 

INITIALLY  al  = ?? 

VFUN  seg_vl sib  1 1 1 1 y_a I ( vo I uid ? segul d) I proculd ] ->  al? 

$(external  form  of  h_seg_vi sibi I ity_al ) 

EXCEPTIONS 

unmounted_volume( proculd*  voluld) ? 
no_segment (proculd,  voluld*  seguld)? 

DERIVATION  h_seg_vlsibi I lty_al (seguld) ? 

VFUN  n_seg_al ( segul d)  ->  al? 

J (returns  access  level  of  segment) 

HIDDEN? 

DERIVATION  h_qc_a I (h_seg_qc (seguld) ) ? 

VFUN  seg_a I ( vo I ui d ? seguld) I proc ul d 1 ->  al? 

$ (external  form  of  h_seg_al ) 

EXCEPTIONS 

unmoun  ted_vo lume( proculd,  voluld)? 
no_segment (procuid,  voluld*  seguld)? 

DERIVATION  h_se g_a I ( segul d)  ? 

VFUN  h_seg_qc ( segu i d)  ->  qcuid? 

S(returns  quota  cell  Id  of  segment) 

HIDDEN? 

INITIALLY  qcuid  = ?? 

VFUN  seg_qc (voluld?  segul d )( proc ui d 1 ->  qcuid? 

$(external  form  of  h_seg_qc) 
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EXCEPTIONS 

unmounted_vo I ume ( procui d*  voluld) i 
no_segment (proculd*  voluld*  seguld); 

DERIVATION  h_seg_qc ( se gu 1 d) ? 

VFUN  h_seg_contents(seguid?  offset)  ->  word? 

$ (returns  a word  of  a segment) 

hidden; 

INITIALLY  word  = 0; 

VFUN  h_seg_l ength (seguld)  -»  length* 
l (returns  length  of  segment) 

hiooen; 

INITIALLY  length  = ?? 

VFUN  seg_l engt h ( vo I ui d?  se gui d) I procuid ] ->  length; 

{(external  form  of  h_seg_l ength) 

EXCEPTIONS 

unmounted_volume(procuid,  voluld) ; 
no_se gment ( procuid*  voluld*  seguld); 

DERIVATION  h_seg_l ength( seg ul d) * 

VFUN  h_seg_paged (seguld)  ->  b; 

{(returns  true  if  segment  Is  paged) 

hiooen; 

INITIALLY  b = FALSE? 

VFUN  h_seg_page_in_core (segui d;  pageno)  ->  b* 

{(returns  true  If  page  is  In  core) 
hiooen; 

INITIALLY  b = FALSE; 

VFUN  h_seg_page_core_address( seguld ; pageno)  ->  core_addre ss; 
{(returns  core  address  of  page) 
hidden; 

INITIALLY  core_address  = ?; 

VFUN  h_seg_core_address(seguld)  ->  core_address ? 

{(returns  core  address  of  unpaged  segment) 

hidden; 

INITIALLY  core_address  = lnlt_core_address(seguld) ; 

OFUN  set_page_used_indicator ( seg tid;  pageno)? 

{(sets  global  page  used  indicator) 

EFFECTS 

* h_seg_page_used(seguid»  pageno)  = TRUE? 

OFUN  set_page_lndlcators(seguid?  pageno); 

{(sets  global  page  used  and  modified  indicators) 

EFFECTS 

• h_seg_page_used(seguld»  pageno)  = TRUE; 
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’ se 9_page_modl f I ed (segu i dt  pageno)  = TRUE? 

VFUN  h_seg_page_used ( segui d ; pageno)  ->  b? 

$ ( returns  true  if  page  glooally  used) 

hidoen; 

INITIALLY  b = FALSE? 


VFUN  h_seg_page_modif led(seguld?  pageno)  ->  b? 
t (returns  true  if  page  globally  modified) 
HIDDEN? 

INITIALLY  b = FALSE? 


VFUN  h_seg_wire_count ( seguid)  ->  n? 

$(returns  count  of  processes  having  segment  wired) 

HIDOEN? 

INITIALLY  n = 0? 

OFUN  change_wire_count (seguid?  n) 

$(changes  wire  count  for  segment) 

EFFECTS 

se 9_w i r e_c oun t ( se gu i d)  = h_seg_wire_coun  t (segui  d ) f n? 
h_seg_wire_count (seguid)  = 0 AND  h_se g_paged ( seguid ) => 
FORALL  i : 1 <=  i AND  I <=  ( h_seg_ length(seguid)  - i 

♦ page_size)/page_size  t 
EFFECTS_OF  a I I ocat e_p age ( segu i d , i)? 


OVFUN  get_memory_data ( ) ( procuid)  ->  mem_!ist? 

$ (returns  memory  utilization  data  to  memory  manager) 

EXCEPTIONS 

procuid  ~=  memory_manager ? 

DEFINITIONS 

INTEGER  n IS  (h.seg.l engt h(seguid)  - 1 + Page.sl ze) /page.s 1 ze ? 


mem_l  ist  = Cmemor y_u ti li zat i on.dat a mem_data  t 
h.vol .mounted ( vol uid)  AND 
h_seg_ex lststvoluid,  seguid)  AND 
h_seg_paged(seguid)  ANO 
h_seg.wire.coun t(seguid)  = o AND 
h_seg_page.in_core (seguid*  pageno) >? 
FORALL  voluld  l h.v o I _moun te d ( vo I uld)  : 

(FORALL  seguid  t h_se g.ex  Ist s ( vol ui d»  seguid)  ANO 

h_seg_pa ged(seguld)  AND 
h.seg.wi  re_count  (seguid)  = o * 
(FORALL  oageno  t pageno  <=  n AND 

h_seg_page_in_c ore (seguid,  pageno) 
*h_seg_page_used(seguid,  pageno)  = FALSE))? 


: 


VFUN  h_mem.dat a ( segui d?  pageno)  ->  mem_data? 
! (returns  memory  utilization  data) 
HIDDEN? 

DERIVATION  <seguid,  pageno. 
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h_seg_page_core_address ( seguidt  pageno) * 
h_seg_page_used ( seguidt  pageno) t 
h_seg_page_modi fied(seguidf  pageno)  > ; 

OF  UN  pro vi de_f ree_pages (page_1isT)!procuidi; 

$(provldes  free  pages  from  memory  manager  for  Kernel  free  list) 
EXCEPTIONS 

Drocuid  “=  memory_mana ger * 
page_list  “INSET  mem.list? 

DEFINITIONS 

INTEGER  n IS  CARDINALITY  (page.list)? 

EFFECTS 

FOR  i FROM  1 TO  n t 

* H_seg_page_modi fied(page_| ist.seguidtll. 

page_l ist.pagenot i 1 ) = FALSE 
AND  * h_seg_page_in_core (page_l lst.seguldfi), 

pa ge_l ist .pageno! 1 1 ) = FALSE 

ANO  EFFECTS.OF  add_page_ to_ I ree_ 1 1 s t ( h_se g_oage_c ore_addr ess ( 

page_list.  segui d!  1 1 . 
page_llst. pageno! i 1 ) ) ; 

VFUN  h_free_page_l 1st ( > ->  free_list? 

Kreturns  list  of  free  pages  in  main  memory) 

hidden; 

INITIALLY  free.list  = in i t _ f ree_ I i st 

OFUN  add_page_to_f ree_l 1st (core_address ) * 

$(adds  page  to  list  of  free  pages  in  main  memory) 

DEFINITIONS 

INTEGER  n IS  LENGTH (h_free_page_list ()) ; 

EFFECTS 

•h_free_page_l ist( ) = VECTOR  (FOR  1 FROM  l TO  n*l  : 

IF  i <=  n THEN  h_f ree_page_l 1st ( ) 1 1 1 ELSE  core_address) ; 

OVFUN  remove_page_f rom_f ree_l i st ( ) ->  core_address » 

{(removes  page  from  list  of  free  pages  in  main  memory) 

DEFINITIONS 

INTEGER  n IS  LENGTH ( h_free_page_ I i st ()) ? 

DELAY_UNTIL  n >=  mln_f ree_page_count » 

EFFECTS 

•h_free_page_l ist ( ) = VECTOR  (FOR  i FROM  1 TO  n-1  t 
h_f r ee_page_ I ist ( ) 1 1 J * 
core_address  = h_f ree_page_l i s t( ) ! n) ? 
n = mi n_f ree_page_coun t - > 

EFFECTS_OF  wake! memory_manager*  page_request_count) ; 


ENO  MODULE 


A-28 


SCO MP  KERNEL  SPECIFICATION 

Rev  R 


2/14/77 

5/25/77 


OS  34028917 


MODULE  devices 


TYPES 


I e ve  J _number 
ca  tegory_set 
securi ty_l eve 

in  t e gr 1 ty_ I ev 

access, I e ve I 

process_uid  : 
device  uid  I 


* CINTEGER  In  : 0 <=  In  ANO  In  <=  max_ln}J 

t (VECTOR_OF  BOOLEAN  cs  I LENGTH(cs)  = cs_S 
I I STRUCT  ( I e ve I _number  sin? 

category_set  scsl? 
el  t STRUCT  { I eve  I .number  lln? 

category_set  ics) ? 

* STRUCT  (securi ty_ I eve  I si? 

integrity_leve I il>? 

INTEGER? 

INTEGER? 


lze>? 


device_mapplng_type  : (mapped,  premappedJ? 

device_t  ype  s (INTEGER  type  J l <=  type  AND  type  <=  max  dev_types>? 
device_utl 1 izati on_dat  a « STRUCT  (devlce_uid  devuld? 

BOOLEAN  initiated? 

BOOLEAN  used? 

BOOLEAN  modified) ? 

device.util ization_data_list  I SET_OF  device.ut 1 1 i za t ion_da ta ? 
se gmen t_number  t (INTEGER  sn  t o < = sr.  ANO  sn  <=  max_segnoT? 
device_number  : (INTEGER  dn  : 0 <=  dn  ANO  dn  <=  max_devno>? 
mach i ne_word  l INTEGER? 
contro l_operat ion  I INTEGER? 


DECLARATIONS 

process_uid  proculd? 

access,! eve  I a I ? 

mach i ne_word  word? 

device_uid  devuld? 

de vice_mapplng_type  map_type? 

device_type  dev_type? 

de vice_ut i I ization_data  dev_data  ? 

device_uti I ization_data_l 1st  dev_l ist  ? 

de v i ce_n umber  devno? 

contro l_operat ion  opcode? 

se gmen t_number  segno? 

INTEGER  n? 

BOOLEAN  b? 


PARAMETERS 


process_ui  d 
process_ui  d 
device_type 
BOOLEAN  vail 


devlce_manager  {(device  manager  process 
device_moni tor  {(device  monitor  process 
max_device_types  {(maximum  device  types) 
d_read_op (dev_type ? opcode)  {(valid  read 


id)  ? 
id)  ? 
♦ 

ops 


f or  device) ? 
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BOOLEAN 

INTEGER 


val ld_wri te_op ( dev_ty pe?  opcode)  $(valid 
max  devices  {(maximum  number  of  devices) 


wrl te  oos 


for  device) » 


DEFINITIONS 

BOOLEAN  ex i st 1 ng_de vi ce ( de vui d)  IS 
h_dev_exi sts ( devuid); 

BOOLEAN  no_device (procuid?  devuld)  IS 

IF  ~b_dev_exlsts(devuid>  THEN  TRUE 

ELSE  “h_read_a I I owed( h_proc_trus ted ( procui d) « h_proc_a I ( procui d) « 

h_dev_al  (devuld)) ; 

BOOLEAN  devlce_not_act ive ( devui d ) IS 
“h_dev_ac ti ve ( devui d)  ; 


EXTERNALREFS 
FROM  access_l eve  I s * 

levet_number  max_ln  {(maximum  level  number); 

INTEGER  cs_size  {(category  set  size)? 

VFUN  h_read_al lowedlb*  at;  al)  ->  b; 

FROM  processes  : 

VFUN  h_proc_a I ( procui d)  ->  al* 

VFUN  h_proc_trus ted ( procui d ) ->  b; 

0 FUN  wake (procui d?  devno); 

FROM  address_spaces  » 

segment.number  max_segno  {(maximum  segment  number); 
de vi ce_number  max_devno  {(maximum  device  number); 
VFUN  h_kdt_dev_used(procuid;  devno)  ->  b; 

VFUN  h_k dt_dev_modi f i ed( procui d*  devno)  ->  b; 

OFUN  reset _device_used_i ndlcator( devuld); 

0 FUN  reset_devlce_mod 1 fied_ind leaf or (devuld) ; 

VFUN  h_kdt_segno(procuid;  devno)  ->  segno; 

OFUN  set_l eve  I ( procui d;  level;  b); 

OFUN  decrement_seg_io_count  (procuid;  segno); 

OFUN  revoke_devl ce_access (d evul d ) l procui d 1 ; 

VFUN  h_kdt_ I eve  I ( procu id ; devno)  ->  level; 


FUNCTIONS 

OFUN  ere ate_device (devuid;  al;  dev_type;  map_t ype ) t procui d 1 * 
{(creates  a new  device) 

EXCEPTIONS 

procuid  "=  device_manager ? 
exist ing_devi ce ( devuid) ; 
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h_de v_c oun t ( ) - max_devices? 

EFFECTS 

* h_dev_exi sts ( devul d)  = TRUE? 

* h_dev_al ( devul d ) = al? 

*h_dev_type (devuld)  = dev_type? 
•h_dev_map_type(devuld)  = map_type? 

*h_dev_count ( ) = h_de v_coun t ( ) ♦ 

OFUN  de  I ete_de vice (devuld) t procuid! ; 

{(deletes  a device) 

EXCEPTIONS 

proculd  *’=  device_manager ? 
no_devlce (proculd,  devuld); 

EFFECTS 

*h_dev_exlsts(devuid)  = FALSE? 

*h_de v_count ( ) = h_dev_count ( ) - l? 

OFUN  change_devlce_al (devuld?  a I ) l procul d ) ? 

{(changes  access  level  of  device) 

EXCEPTIONS 

procuid  “=  devlce_manager? 
no_devlce (procuid,  devuld)? 

EFFECTS 

*h_dev_al ( devuld)  = al? 

EFFECTS_OF  revoke_devl ce_access ( devul d,  proculd)? 

OFUN  c ha nge_devlce_mapplng_type( devuld?  map_ty pe ) t pr ocui d 1 ? 
{(changes  device  mapping  type) 

EXCEPTIONS 

proculd  ”=  dev lce_manager ? 
no_devlce (procuid,  devuld)? 

EFFECTS 

' h_dev_map_type (devuld)  = mao_type ? 

0 V FUN  ge t_devl ce_data ()( proculd)  ->  dev_list? 

{(returns  device  utilization  data  to  device  monitor) 
EXCEPTIONS 

procuid  ~=  devlce_moni tor ? 

EFFECTS 

dev_l 1st  = Cdevice_uti I izati on_data  dev_data  * 
h_dev_ex is ts( devuld) }? 

FORALL  devuld  I h_dev_exl s ts ( devul d ) AND 

h_dev_ini tiated(devuid)  t 

EFFECTS_OF  r eset _dev lce_use d_ind lea t or ( de vu 1 d)  AND 
EFFECTS_OF  reset_device_modl f i ed_lndl cat  or ( devul d ) ? 

VFUN  h_dev_data (devul d)  ->  dev_data? 

{(returns  device  utilization  data) 

HIDDEN? 

DERIVATION  <devuld,  h_dev_init lated( devuld) , 

h_dev_used(devuld) , h_dev_modl f led ( devul d ) >? 
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VFUN 


h_dev_used( devui  d)  ->  b? 

? (returns  device  used  data) 

HIDDEN? 

DERIVATION  IF  h_de v_i n i t i at e d ( d e vui d ) 

THEN  h_kdt _dev_used (h_dev_inl t iat  or( devui  d ) 

h_dev_devno(devui  d)  ) 


else  false; 


» 


VFUN 


h_dev_modi f 1 ed (devui  d ) ->  b; 

{(returns  device  modified  data) 

hidden; 

DERIVATION  IF  h_dev_i n i t i at ed ( de vui d ) 

THEN  h_kdt_dev_modi f ied (h_dev_init iat or (devui d) * 

h_dev_devno ( de vu 1 d) ) 


else  false; 


OF  UN  dev ice_wakeup ( devuld) ; 

$(notlfles  initiator  process  of  asynchronous  io  termination) 
EXCEPTIONS 

device_not_active(devuld) ; 

DEFINITIONS 

process_uid  proc  IS  h_dev_ini t lator ( devui d ) ; 
de v ice_number  devno  IS  h_dev_devno (devuid) ; 
segmen t_number  segno  IS  h_kdt_segno (proc * devno); 

EFFECTS 

• h_dev_ac t 1 ve ( devui d)  = FALSE* 

EFFECTS_OF  wake(proc*  devno); 

EFFECTS_OF  se t _ I eve  I ( pr oc  » h_kdt_ I eve  I ( proc * devno)*  TRUE); 
EFFECTS_OF  dec remen t_se g_i o_c oun t ( proc * segno); 


OF  UN  assign_device(procuid;  devuid?  devno)? 
$(assigns  device  to  initiator  process) 
EFFECTS 

•h_dev_ini t i atedtde vui  d)  = TRUE? 

* h_dev_ini 1 1 at  or ( devui d)  = procuid? 

*h_de v_devno(devuld)  = devno? 

OFUN  re  I ease_device (devui d) ; 

{(releases  initiated  device) 

EFFECTS 

•h_dev_initiated(devuid)  = FALSE? 

OFUN  set_device_acti ve(devuid) ; 

$(sets  device  state  active) 

EFFECTS 

• h_dev_act i ve ( devui d)  = TRUE? 


OFUN  wr i te_dev ice ( devui d?  word)? 
$(*rites  a word  to  device) 
EFFECTS 
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* h_dev  con  tent s ( devuld ) = word! 


VF UN  h_dev_count ( ) ->  n* 

$(returns  number  of  devices) 
hidden; 

INITIALLY  n = 0 ♦ 

VFUN  h_dev_exlsts ( devuld)  ->  b* 

$ (returns  true  if  device  exists) 

hidden; 

INITIALLY  b = FALSE; 

VFUN  h_dev_al ( devuid)  ->  at; 

^(returns  access  level  of  device) 

hidden; 

INITIALLY  a I = ?; 


VFUN  h_dev_type(devuid)  ->  dev_type; 

% (returns  device  type) 
hidden; 

INITIALLY  dev_type  = ?; 

VFUN  h_dev_map_type(devuid)  ->  map_type; 
$ (returns  device  mapping  type) 
hidoen; 

INITIALLY  map_type  = ?; 


VFUN  h_va 1 1 d_r ead_op ( dev_type * opcode)  ->  b; 

$ (returns  true  if  valid  read  operation  for  device  type) 

hidden; 

INITIALLY  b = va 1 1 d_r ead_op ( dev_ ty pe « opcode); 

VFUN  h_val ld_write_op (dev_typet  opcode)  ->  b; 

$ (returns  true  if  vallc*  write  operation  for  device  type) 

hidden; 

INITIALLY  b = va 1 1 d_wri te_op (dev_t ype , opcode); 

VFUN  h_dev_in I tl ated( devul d)  ->  b? 

$(returns  true  if  device  currently  initiated) 

hidden; 

INITIALLY  b = FALSE; 

VFUN  h_dev_lnltiator(devuid)  ->  proculdj 

$ (returns  device  initiator  process  id) 
hiooen; 

INITIALLY  procuid  = ?; 

VFUN  h_de v_devno ( de vu 1 d)  ->  devnot 

S (returns  local  device  number  in  initiator  process  space) 

hidden; 

INITIALLY  devno  = ?; 
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VFUN  h_dev_ac t ive ( devui  d)  -»  b? 

$ (returns  true  if  asynchronous  read  or  write  in  progress) 
hidoen; 

INITIALLY  b = FALSE? 

VFUN  n_dev_contents (devui d)  ->  word? 

Kreturns  contents  of  device) 

HIDDEN? 

INITIALLY  word  = ?? 

VFUN  device_al (devuid) I proculdl  ->  al  ? 

{(external  form  of  h_dev_al ) 

EXCEPTIONS 

no_devlce (procuid*  devuid)? 

DERIVATION  h_dev_al (devuid) ? 

VFUN  devic e_t ype ( devul d) (proculdl  ->  dev_type? 

{(external  for*  of  h_dev_type) 

EXCEPTIONS 

no_devl ce (procui dt  devuid)? 

DERIVATION  h_dev_type ( devui d ) ? 

VFUN  device_map_type( devul d) ( procui dl  ->  map_type? 

{(external  for*  of  h_dev_map_type) 

EXCEPTIONS 

no_device (proculd*  devuid)? 

DERIVATION  h_dev_map_t ype (devul d ) ? 


EN0_M00ULE 
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MOOULE  address_spaces 


TYPES 

level _number  1 CINTEGER  In  1 0 <=  In  ANO  In  <=  max_ln>; 
category_set  : CVECTOR.OF  BOOLEAN  cs  : LENGTH(cs)  = cs_size>? 
securi ty_| eve  I t STRUCT  ( I eve  I _n umber  sin? 

category_set  scs)? 
integr 1 ty_leve I I STRUCT  (level .number  lln? 

category_set  ics)? 

access_level  : STRUCT  ( securi ty_ I eve  I si; 

integrity_level  ll>; 

process_uid  « INTEGER? 
vo I ume_ui d : INTEGER? 
se  gmen  t_ui  d » INTEGER? 

ri number  t CINTEGER  rn  t 0 <=  rn  AND  rn  <=  max_ring>? 
ri  ng_brackets  t CVECTOR_OF  ring_number  rb  t LENGTH(rb)  = 3>? 
se  gment_number  « CINTEGER  sn  1 0 <=  sn  ANO  sn  <=  max_segno>? 
dev  ice _n umber  ; CINTEGER  dn  * 0 <—  dn  AND  dn  <~  max_devnoT? 
se  gmen  T_o  f f se  t t CINTEGER  so  l o <=  so  AND  so  < = max__of  f se  1 3? 
execut ion_point  1 STRUCT  (rlng_nuraber  rn? 

segment_nu»ber  sn? 
segment_o f f se t so)? 

access.mode  » CVECTOR_OF  BOOLEAN  am  * LENGTH (am)  = 3>? 
machine_word  * INTEGER? 

page_number  l CINTEGER  pn  t 1 <=  pn  AND  pn  <=  (max_offset  ♦ 1 ) /page_sl ze>? 
level  : CINTEGER  level  * l <=  level  AND  level  <=  pl_size>? 
process_levels  » CVECTOR.OF  BOOLEAN  pi  « LENGTH ( p I ) = pl_size>? 
de v 1 ce_ui d I INTEGER? 

se  gmen  t_l ength  1 CINTEGER  length  * 1 <=  length  ANO  length  <=  max_offset 

* i>; 

devxce_mapping_t ype  1 Cmapped*  premappedl? 

traP— numt>er  t CINTEGER  tn  s l <=  tn  AND  tn  < = max_trapno>? 

contro l_operat ion  t INTEGER? 

mem_area  : STRUCT  (se gment_number  sn ? 

se  gment_of  f se  t so)? 

io_count  t CINTEGER  count  1 0 <=  count  ANO  count  <=  max_i o_count > ? 
trap_info  J VECTOR_OF  machine_word? 

devlce_type  i CINTEGER  type  : 1 <=  type  ANO  type  <=  max_.de  v_typesJ ; 
Known_se sment_tab le  » STRUCT  (900LEAN  valid? 

se  gmen  t_uid  seguid? 
volume_uid  voluid? 

BOOLEAN  access_def ined ? 
access_mode  mode? 
ri ng_brackets  rb? 

BOOLEAN  seg_used? 

BOOLEAN  seg_modl f ied? 

BOOLEAN  seg_nlred? 

INTEGER  seg_lo_count ? 

BOOLEAN  page_used? 
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BOOLEAN  page_modlf  led)  *, 

known_segment_tab le_l  1st  » SET_OF  known_segment_tabl e ? 


DECLARATIONS 

process_uid  proculd,  proc? 
volume_uid  voluld! 
segment_uid  seguld; 
device_uid  devuld; 
access_level  al? 
access_mode  mode*  given_mode; 
rlng_number  ring*  eff_ring? 
ri ng_brack ets  rb* 
se gmen t_number  segno; 
device_n umber  devno? 
se gmen t_o f f set  offset; 
machine_word  word; 
trap_number  traono? 

execut ion_polnt  exec_pt,  return_exec_pt ; 
page_number  pageno? 

I eve  I I eve  I ; 

process_l eve  I s ac t i v 1 1 y_l eve  I s ; 
contro I _operat Ion  opcode; 
device_mapplng_type  map_type; 
device_type  dev_type; 
mem_area  save_area; 
se gmen t_ length  length,  range; 
lo_count  io_count; 
trap_lnfo  trap_lnfo; 

INTEGER  i,n? 

BOOLEAN  b? 


PARAMETERS 

ring_number  kernel_ring  $( least  privileged  ring  used  by  kernel) 
rlng_number  max_rlng  {(maximum  ring  number); 
se gmen t_number  max_segno  {(maximum  segment  number); 
de vice_number  max_devno  {(maximum  device  number); 
trap_number  max_trapno  {(maximum  trap  number); 

lo_count  max_lo_count  {(maximum  number  of  active  io  operations) 
level  lnit_!evel  {(initial  process  level); 

execut i on_point  init_exec_pt  {(Initial  process  execution  point) 
kncwn_segment_tab I e _ 1 1st  template_kst  {(Initial  process  kst); 
INTEGER  pl_size  {(number  of  process  levels); 


DEFINITIONS 

BOOLEAN  unmounted_vol umelprocuid;  voluid)  IS 
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I*7  ~h_vo l_mounted  ( vol  uid)  THEN  TRUE 

ELSE  “h_read_a I I owed( h_proc_ trust ed ( procui d) * h_pr oc_a I ( procui d) * 

h_vo l_min_a I (vol uid) ) ; 

BOOLEAN  no_segment (procuid?  voiuld?  seguld)  IS 

IF  ~h_seg_exists(voluid,  seguld)  THEN  TRUE 

ELSE  ~h_read_a I I owed ( h_proc_t  rusted ( procui d) * h_pr  oc  al(procuid), 

h-seg_vlsibi 1 1 ty_a I (seguld) ) ? 

BOOLEAN  writ e_no t_a I lowed(procuid;  al)  IS 

~h_wrl te_a I I owed ( h_proc_trus  ted ( procui d I , h_proc_a I (procuid) , al  ) ? 

BOOLEAN  inva 1 1 d_segno (procuid?  segno)  IS 
Kst_va  I i d ( procu  1 d«  segno)? 


BOOLEAN  undef lned_access (procuid * segno)  IS 

h— ks t_access_de fined(procuid*  se gno ) * 

BOOLEAN  no_read_per ml ss 1 on ( procui d ? ring?  segno)  IS 
~ (b_kst_mode ( procui d,  segno) til  AND 

ring  <=  h_kst_rb (procuid,  segno)(2))? 

BOOLEAN  no_wr I te_per mi ssion( proc uid?  ring?  segno)  IS 
~ ( h_kst_mode ( procuid,  segno) t2)  AND 

ring  <=  b_ks t_r b ( proc ui d , segnoHi])? 

BOCLFAN  no_execute_permiss ion (procuid?  ring?  segno)  IS 
~(h_kst_mode( procuid,  segno) 13]  AND 

r4ng  <=  b_kst_rb ( proc uid,  segno)(2l  AND 
ring  >=  h_kst_rb  (proc  uid,  segnoHil)? 

BOOLEAN  out_of_bounds (procuid?  segno?  offset)  IS 

offset  >=  t>_seg_  I engt  h (h_ks  t_segu  id  ( procui  d»  segno))? 

BOOLEAN  outside_cal I _brack ets ( procui d ? ring?  segno)  IS 
“(ring  > = h_kst_rb  (procui  d,  segnoHD  AND 
ring  <=  h_kst_rb (procui d,  segno)l3))? 

BOOLEAN  inva I i d_ca I I _ I i mi  ter ( o f f set ) IS 
"■(offset  = 0)  ? 

BOOLEAN  inward_return (procuid?  ring)  IS 
rmg  < h_proc_r  i ng  ( procui  d)  ? 

BOOLEAN  segno_in_use ( proc ui d?  segno)  IS 
h-kst_val id(procuid,  segno)? 

BOOLEAN  se gmen t_w lred ( proc uid ? segno)  IS 
h-ks t_seg_wi red (procui d*  segno)? 

BOOLEAN  inva I id_ring_brackets (rb ) IS 
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“(kernel_ring  < rblll  AND 
rbl 1 1 <=  no  t 2 1 < = rbl3l)? 

boolean 

segment_not_wlred ( procul d * segno)  IS 
”h_kst_seg_wlred(procuidt  segno) ; 

BOOLEAN 

segment_used_f or_l o ( proc ul d ; segno)  IS 
“ (h_ks t_se g_i o_count ( proc ui d ♦ segno)  =0)? 

BOOLEAN 

unde f i ned_ 1 eve  1 ( procul d;  level)  IS 

“h_ 1 eve  1 _hand 1 er_exis ts ( procuid*  level); 

BOOLEAN 

devno_In_use ( procul d|  devno)  IS 
h_kdt_va 1 Id (procul d*  devno); 

BOOLEAN 

no_device(procuid;  devuld)  IS 
IE  “h_dev_exi sts 1 devuld)  THEN  TRUE 

ELSE  *h_read_a 1 1 owed ( h_proc_ trust ed (procuid) * h_proc_al (procul d) « 

h_dev_3l  (devuld)) ; 

BOOLEAN 

device_in_use (devuld)  IS 
h_dev_lnitiated(devuid); 

BOOLEAN 

inval 1 d_devno ( procuid ; devno)  IS 
“h_kdt_va 1 1 d ( procul d*  devno); 

BOOLEAN 

device_actlve (procuid;  devno)  IS 

h_de v_ac t ive(h_kdt_devuid( procuid * devno) ) ; 

BOOLEAN 

inva 1 1 d_device_r ing_brac  kets(rb)  IS 

■"(kerne  l_ring  < MIN(Crbti]t  rb!3J>)  AND  rblll  <=  rb(2l); 

BOOLEAN 

inva 1 1 d_device_r ead ( proc uid;  ring;  devuld;  devno;  opcode)  IS 
”(( h_kdt_mode ( procul d ♦ devno)Ii)  AND 

ring  <=  h_kd t_r b ( proc ui d » devno)I2)  AND 
h_val i d_read_op (h_dev_tyoe (devui d ) * opcode))  OR 
( h_kdt_roode ( procuid » devno) 131  ANO 
ring  <=  h_kdt_rb ( proc ui d , devno)(3))); 

BOOLEAN 

inva 1 1 d_device_wri te ( procul d*  ring*  devuld;  devno;  opcode)  IS 
“( (h_kdt_mode ( procuid * devno) 121  AND 

ring  <=  h_kdt_rb (proc ul d*  devnoHH  AND 
h_va 1 1 d_wr 1 te_op ( h_dev_t ype ( devul d ) , opcode))  OR 
( h_kdt_mode ( procul d * devno) 1 3 ) AND 
ring  <=  h_kdt_r b ( proc ui d ♦ devno)l3))); 

BOOLEAN 

unde f 1 ned_dev 1 ce_access ( procuid ; devno)  IS 
"h_kdt_access_de f 1 ned( procul d » devno) ; 

BOOLEAN  no_devlce_wrl te_perml ss 1 on ( procul d ; ring;  devno)  IS 
“ ( h_kd t_mode ( proc ui d»  devno) C 2 1 AND 
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BOOLEAN 

BOOLEAN 

BOOLEAN 

BOOLEAN 

BOOLEAN 

BOOLEAN 

BOOLEAN 

BOOLEAN 

BOOLEAN 

BOOLEAN 

BOOLEAN 

BOOLEAN 


ring  <=  h_kdt_rb ( procui dt  devno)tll)? 

no_device_read_permisslon(procuid?  ring?  devno)  IS 
~ ( h_kdt_mode ( proc ui dt  devno) til  AND 
ring  <=  h_kdt_rb (procul dt  devno)(2)>? 

max_i o_opera t i ons ( procul d ? segno)  IS 
h_kst_seg_io_count (procuidt  segno)  = max_i o_count ? 

inva  lld_memory_l iml ts (procuid?  devuid?  seguld?  offset?  range)  IS 
IF  h_dev_map_type ( devul d ) = napped 
THEN  offset  >=  h_seg_ I ength(seguld) 

ELSE  (offset  ♦ range)  >=  h_se  g_  I engt  h(  segu  id)  OR 
(h_seg_paged ( seguid ) AND 
(offset  MOD  page_size  ♦ range)  > page_size); 

no_wr 1 te_memory_permi ssi on ( procui d?  devuid?  ring?  segno)  IS 
IF  h_dev_map_type( devuid)  = premapped 
THEN  ~ (h_kst_mode ( procul d,  segno) 1 2 1 ANO 

ring  <=  h_kst_rb ( procuidt  segnoitll) 

ELSE  FALSE? 

no_read_memory_permission(procuid?  devuid?  ring?  segno)  IS 
IF  h_dev_map_type ( devui d ) = premapped 
THEN  “ (h_kst_mode ( procui d»  segno) til  ANO 

ring  <=  h_ks t_rb ( procuid » segno)(2l) 

ELSE  FALSE? 

de vice_not_act ive( devui d ) IS 
~h_dev_acti ve(devuld) ? 

inva 1 1 d_segment_re ference ( procul d ? devno?  segno)  IS 
~ (h_kdt_segno( procuid t devnol  = segno)? 

ex i st i ng_trap_hand I er (procui d?  trapno?  ring)  IS 
( h_t rap_hand I er_ex 1st s ( procu 1 dt  trapno)  AND 
ring  > h_trap_r ing ( proc ui d » trapno))? 

no_trap_handler(procuid?  trapr.o)  IS 
~h_trap_hand I er_exi sts (procui d»  trapno) ? 

no_trap_outstanding(procuid?  trapno)  IS 
h_trap_depth( procuidt  trapno)  = 0? 

inner_ring_handl er (procui d?  ring)  IS 
h_proc_rlng(procuid)  > ring? 

ex ist 1 ng_l eve l_hand I er (procul d?  level?  ring)  IS 
(h_l evel _hand I er_exis ts ( procuid t level)  ANO 
ring  > h_ I eve l_ri ng( procul d*  level))? 
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EXTERNALREFS 
FROM  3ccess_l evel s : 

level_number  max_ln  $(maximum  level  number); 

INTEGER  cs_size  $ (category  set  size); 

V FUN  h_read_a I I owed ( b ; ai;  al)  ->  b? 

VFUN  h_wri te_a II  owe d(b * at;  al)  ->  b? 

VFUN  h_read_wrlte_al I owed(b ; al*  al)  ->  b? 

FROM  processes  : 

VFUN  h_proc_exis ts (procui d)  ->  b; 

VFUN  h_proc_a I ( procui d ) ->  at; 

VFUN  h_proc_trusted( procui d ) -»  b* 

FROM  volumes  l 

VFUN  h_vo I _m i n_a  I ( vo I ui d ) *>  al  » 

VFUN  h_vo I _mount ed ( vo I ui d ) ->  b» 

FROM  segments  t 

segment_o f f set  max_offset  Kmaximum  segment  offset); 
INTEGER  page_size  $(number  of  words  in  a page); 

VFUN  h_seg_exists (vol uid ; seguid)  ->  b; 

VFUN  h_seg_visibi I lty_al (seguid)  ->  al* 

VFUN  h_seg_a I (seguid)  ->  al* 

VFUN  h_seg_l ength (seguid)  ->  length; 

VFUN  h_seg_contents ( segui d;  offset)  -»  word; 

VFUN  h_seg_paged (segu id)  ->  b? 

VFUN  h_seg_page_ln_core(seguid;  pageno)  ->  b; 

OVFUN  read(seguid;  offset)  ->  word? 

OFUN  wri te (segui d;  offset*  word); 

OFUN  al I ocat e_p age (seguid ; pageno); 

OFUN  change_wi re_count (segu i d?  n); 

OFUN  set_page_used_indicator (seguid?  pageno)* 

OFUN  set_page_indicators(seguld»  pageno); 

FROM  devices  * 

device_type  max_dev_t ypes  Slmaxlmum  device  types); 
VFUN  h_dev_ex i st s ( de vui d ) ->  b; 

VFUN  h_dev_a I ( devuid ) ->  al* 

VFUN  h_dev_type ( devui d)  ->  dev_type* 

VFUN  h_dev_map_type (devuid)  ->  map_type» 

VFUN  h_va I i d_read_op ( dev_ty pe;  opcode)  ->  b; 

VFUN  h_va 1 i d_wri te_op ( dev_t ype ? opcode)  ->  b; 

VFUN  h_dev_ini tl ated( devui d)  ->  b; 

VFUN  h_dev_initiator (devuid)  ->  procuid* 

VFUN  h_dev_devno ( devui d)  ->  devno? 

VFUN  h_de v_ac t i ve ( devuid ) ->  b; 

VFUN  h_dev_contents (devuid)  ->  word; 

OFUN  ass i gn_de vi ce ( or ocul d;  devuid*  devno); 

OFUN  rel ease_device (devuid) ; 
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OF UN  set_device_acti ve(devuid) ? 

0 FUN  wri te_devlce (devuid ; word); 


FUNCTIONS 

OFUN  ass ign_segno ( vol ui d?  seguid?  segno) t procuid) ? 

$ (assigns  a segment  number  to  a segment  for  a process) 
EXCEPTIONS 

segno_i n_use ( proc ui d , segno) ? 
unmounted_volume(procuid,  voiuid) ? 
no_segment (procuid,  voiuid,  seguid); 

EFFECTS 

*h_kst_val id(procuid,  segno)  = TRUE* 

*h_kst_vo luid( procuid,  segno)  = voiuid; 

*h_kst_segui d(procui d,  segno)  = seguid? 

* h_kst_access_def ined (procuid,  segno)  = FALSE? 

* h_ks  t_seg_wl r ed (procuid,  segno)  = FALSE? 

’ h_ks t_seg_io_count (procui d,  segno)  = o? 

“h_seg_paged(seguld)  => 

* h_kst_seg_used (procuid,  segno)  = FALSE  AND 
* h_kst_seg_modi fied( procuid,  segno)  = FALSE? 

OFUN  release_segno (segno)  ( procui  dJ ? 

I (releases  a segment  number  for  a process) 

EXCEPTIONS 

Inval 1 d_segno ( procui d,  segno)? 
segment_wired(procuid»  segno)? 

EFFECTS 

*b_kst_va I id ( procui  d,  segno)  = FALSE? 

OVFUN  9 1 ve_acc ess (segno?  mode?  rb)[procuid)  •>  given  mode? 

$ ( g i ves  a process  access  to  a segment  and  returns  given  mode) 
DEFINITIONS 

volume_uld  voiuid  IS  h_ks t_vo I ui d ( procuid,  segno)? 
segment_uid  seguid  IS  h_ks t_segul d (procui d , segno)? 
access_l eve  I al  IS  h_seg_a I (seguid) ? 

BOOLEAN  readable  IS  h_read_al I owed (h_proc_trusted(proculd) , 

h_proc_a  I ( procui  d) , al)? 

BOOLEAN  writable  IS  h_wr i t e_a I I owed ( h_proc_tr usted ( procui d) , 

h_proc_al  ( procu  i d)  , al)? 

access_mode  max_mode  IS  VECTOR  (readab I e , writable,  readable)? 
EXCEPTIONS 

inval id_rlng_brackets(rb) ? 
i n val i d_segno ( proc ui d,  segno)? 
unmounted_vol ume(proculd,  voiuid)? 
no_segment (procuid,  voiuid,  seguid)? 

EFFECTS 

given_mode  = VECTOR  (FOR  i FROM  1 TO  3 l 

modeCil  ANO  max_mode( i 1) ? 

*h_kst_mode (procui  d,  segno)  = given_mode? 
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•h_kst_rb(procuid»  segno)  = rb? 

* h_kst_access_def ined( procui d»  segno)  = TRUE? 

OFUN  revoke_access ( vo I uid;  segui d ) I procui d ] ; 

$(revokes  access  to  segment  tor  all  processes 
forces  access  to  be  recomputed) 

EXCEPTIONS 

unmoun  t ed_vo I ume( procuid,  vo I u i d ) ? 
no_se gmen t ( pro cui d « voluid,  seguid)? 
write_not_al lowed(procuid,  h.seg.al (seguid) ) ? 

OEL AY_UNT IL  FORALL  proc  I h.proc.ex Ists (proc ) « 

(FORALL  segno  * h.kst.val 1 d ( proc , segno)  ANO 

h_kst_seguid(proc»  segno)  = seguid  « 
h.kst.seg.i o.count ( proc , segno)  = 0); 

EFFECTS 

FORALL  proc  : h_proc_ex i s t s ( proc ) * 

(FORALL  segno  » h_kst_va I id ( proc,  segno)  AND 

h.ks t.seg ui d ( proc , segno)  = seguid  : 

• h_kst_access_de f lned (proc » segno)  = FALSE* 

OFUN  r evoke_vo I .access ( vo I uid ? procuid)? 

$(revokes  access  to  all  segments  on  a volume) 

EFFECTS 

FORALL  seguid  : h_seg_exi s ts ( vol ui d , seguid)  t 

EFFECTS.OF  r evoke.acces s ( vol ui d,  seguid,  procuid)? 

OFUN  1 ni t_address_space ( procuid) * 

t ( ini t ia I izes  process  address  space) 

EFFECTS 

•h_proc_kst (procui d)  = te mp I at e_ks t * 

•h  proc.ac t i vi ty_l eve  I s (procui d)  - VECTOR  (FOR  1 FROM  l 

TO  pl.size  t 

IF  i = in i t_! eve  I THEN  TRUE  ELSE  FALSE)? 

* h_ leve I .hand  I er_ex i sts ( procu id,  inlt. level)  = TRUE? 

* h_  I eve  1 _ri ng ( procui d,  inlt. level)  = ini  t_exec.pt .r i ng ? 

• h_  I eve  I _se gno ( proc u i d , init.level)  = ini t.ex ec.p t • segno? 

•h_  leve l.of f set (procuid,  init.level)  = inlt_exec.pt . of f set? 

OFUN  pur ge.address.space ( procui d ) ? 

{(releases  all  segments  and  devices  in  address  space  of  process) 
EFFECTS 

FORALL  segno  : h.ks t.va 1 1 d ( procui d , segno)  » 

EFFECTS.OF  r e I e ase.segno ( s e gno , procuid)? 

FORALL  devno  : h.kd t.va I l d ( procui d , devno)  : 

EFFECTS.OF  re  I e ase.devno (de vno,  procuid)? 

OVFUN  read.se g ( se gno?  of f set )( procuid 1 ->  word? 

$ (reads  a word  from  a segment) 

DEFINITIONS 

ring_number  IS  h.proc.ring (procuid ) ? 

page.number  pageno  IS  (offset  ♦ pa ge.s ize ) /pa ge.s i z e ? 
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vo  t ume_ui d voluid  IS  h_ks t_vol ui d ( procui  d, 
segment_uld  seguid  IS  h_kst  segul d (procui d , 
EXCEPTIONS 


segno)  * 
segno) 


inval i d_segno ( procui d»  segno)? 
unmounted_vo I une ( procuid,  voluid) ? 
r'o_segment  (procui  d,  voluidT  seguid)? 
undef ined_access ( procui d*  segno) ? 
no_read_permi s s i on ( procui d * ring,  segno)? 
out_o f_bounds ( procui d,  segno,  offset)? 

effects 


word  = EFFECTS_OF  read(seguid,  offset)? 

~ti_se g_paged  (seguid  ) => 

* h_kst_seg_used(proculd,  segno)  = TRUE? 


OFUN 


wri te_seg (segno?  offset?  word) ( procuidl ? 

S ( wr 1 1 es  a word  of  a segment) 

definitions 

ring_number  IS  h_proc_ring (proculd ) ? 
page_number  pageno  IS  (offset  + page.size) /pa 
vo I ume_ul d voluid  IS  h_ks t_vo I ui d( procui d,  se 
segment_ui d seguid  IS  h_kst_seguid (proculd,  s 
EXCEPTIONS 

inva lid_segno(procuid,  segno)? 
unmoun ted_vo I ume ( procui  d,  vol uld) ? 
no_segment (proculd,  voluid,  seguid)? 
undef i ned_access ( procui d,  segno) ? 
no_wri te.permi ssion (procui d,  ring,  segno)? 
out_of_bounds ( procui d,  segno,  offset)? 


ge_s ize 
gno)  ? 
egno)  ? 


* 


EFFECTS_OF  wri te (seguid,  offset,  word)? 

~D_seg_paged(seguld)  => 

*h_kst_seg_used(procuid,  segno)  = TRUE  AND 
* h_ks t_se g_mod i f i ed( proculd,  segno)  = TRUE? 


OFUN  e xecut e_seg ( segno?  of f set ) t procuidl ? 

$ (executes  a word  from  a segment) 

DEFINITIONS 

ring_number  IS  h_proc_r ing (procui d ) ? 
page_number  pageno  IS  (offset  ♦ page_size) /page_size ? 
vol ume_uld  voluid  IS  h_ks t_vo I ui d( procui d,  segno)? 
segment_uld  seguid  IS  h_kst_seguid (procuid,  segno)? 
EXCEPTIONS 

inva I i d_segno ( procui d»  segno)? 

unmoun ted_vo lume( proculd,  voluid)? 

no_segment (procuid,  voluid*  seguid)? 

undef ined_access (procuid,  segno) ? 

no_e xecut e_per ml sslon(proculd,  ring,  segno)? 

out_of_bounds (procuid,  segno,  offset)? 

EFFECTS 

EFFECTS_OF  a I I oca te_p age ( segu 1 d,  pageno)? 
*h_proc_segno(procuid)  = segno? 
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•h_proc_o f f set (procui d)  = offset* 

IF  h_seg_paged ( segu id) 

THEN  EFFECTS_OF  se t_page_used_ In di ca tor ( segui d,  pageno) 

ELSE  * h_ks t_se g_used (proc uld,  segno)  = TRUE* 

OFUN  call (segno!  o f f set ) I procui d 1 ; 

{(initiates  inter-ring  inward  movement  for  process) 
DEFINITIONS 

ring_number  IS  h_proc_ring (procuid) * 
volume_uid  voluid  IS  h_ks t_vo I ui d { procui d»  segno)* 
segment_uid  seguid  IS  h_kst_seguid (procuid*  segno); 
EXCEPTIONS 

inva I id_segno( procuid*  segno)* 
unmounted_volume(proculd*  voluid) * 
no_segment (procui d*  voluid,  seguid)* 
unde f i ned_acce ss (procui d»  segno) * 
outside_call_bracKet(procuid*  ring,  segno); 
inva I i d_ca I l_l imiter(offset) ; 

EFFECTS 

*h_proc_ring(procuid)  = M I N ( Ch_proc_r ing ( pr oc  uld) , 

h_Kst_rb (procuid,  segno)(2)>); 
*h_proc_segno(proculd)  = segno; 

*h_proc_o f f set ( procui d)  = offset; 

OFUN  r e turn ( se gno ; offset;  ring) t procui dl ; 

{(initiates  inter-ring  outward  movement  for  process) 
EXCEPTIONS 

inward_return( procuid,  ring); 

EFFECTS 

• h_proc_ri ng ( procui d ) = ring; 

*h_proc_segno(procuid)  = segno; 

*h_proc_of f set (procuid)  = offset; 

OFUN  w tre_seg ( segno) I procui d) ; 

{(wires  segment  into  main  memory) 

DEFINITIONS 

volume_uld  voluid  IS  h_ks t_vol ui d ( procui d,  segno); 
segment_uid  seguid  IS  h_kst_seguld(procuid,  segno); 
EXCEPTIONS 

inval i d_segno (procui d,  segno); 
unmounted_vo I ume ( procu i d,  voluid) ; 
no_segment (procuid,  voluid,  seguid); 
undef ined_access ( procuid,  segno) ; 
segmen t_wi red ( procui d,  segno); 

EFFECTS 

•h_kst_seg_wired(procuid»  segno)  = TRUE; 

EFFECTS_OF  change_w 1 re_coun t ( segu 1 d , 1); 

OFUN  unw  ire_se g ( segno )( procui d)  ; 

{(unwires  segment  from  main  memory) 

DFFINITIONS 
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vo I ume_ui d voluld  IS  h_Ks  t_vo  I ui  d(  procul  cl,  segno); 
so  ymen  t _ul d seguld  IS  h_ks t_seguld (proculd,  segno); 
f XCFPTIONS 

lnva I i d_segno ( procul d*  segno)* 
unmoun t ed_vo I ume( proculd,  voluld); 
no_segment (proculd,  voluld,  seguld); 
undef ined_access (proculd,  segno) ; 
segment_not_wlred(proculd,  segno) ; 
segment_used_f  or_l o ( procul d,  segno) ; 

EFFECTS 

* h_kst_seg_wired ( proculd,  segno)  = FALSE? 

EFFECTS_OF  c hange_n 1 re_co un t ( s egui d , -l)? 

VF UN  h_proc_exec_pt (proculd)  ->  exec_pt? 

$ (returns  execution  point  for  process) 

hidoen; 

DERIVATION  <h_proc_r ing ( procul d ) , h_proc_segno ( proc ul d ) , 
h_proc_o  ffset(proculd)>; 

VFUN  h_proc_rlng ( proculd)  ->  ring? 

J (returns  effective  ring  of  execution  for  process) 
HIDDEN? 

INITIALLY  ring  = ?? 

VFUN  h_proc_segno (proculd)  ->  segno? 

Kreturns  segment  number  of  execution  point  for  process) 
H I ODEN  ? 

INITIALLY  segno  = ?? 

VFUN  h_proc_o f f set ( procul d ) ->  offset? 

$ (returns  segment  offset  of  execution  point  for  process) 

HIDDEN? 

INITIALLY  offset  = ?; 

VFUN  h_ I eve  I _hand I er_exl s ts ( proc uld ? level)  ->  b? 

$ ( returns  true  if  level  handler  Is  defined  for  process) 
HIDOEN? 

INITIALLY  b = FALSE? 

VFUN  h_proc_actl vity_level s(proccid)  ->  act  1 vlty_l eve  Is ? 

$ (returns  activity  level  indicators  for  process) 

HIDDEN? 

INITIALLY  ac 1 1 v 1 1 y_l eve  I s = ?? 

VFUN  h_proc_l eve  I (proculd)  ->  level; 

S(returns  execution  point  level  for  process) 

hioden; 

INITIALLY  level  = ?? 

VFUN  h_ | eve l_exec_pt ( procu 1 d?  level)  ->  exec_pt; 

$ ( r eturns  execution  point  for  level  handler  for  process) 
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hiooen; 

DERIVATION  <h_ I e ve I _r ing ( pr ocu  1 d « level)*  h_l e ve l_se gno( procu i d , 
level)*  h_l evel _of f set ( procui d*  1evel)>? 

VF  UN  n_ I eve  I _r ing ( procuid;  level)  ->  ring? 

{(returns  effective  ring  of  level  handler  for  process) 

hiooen; 

INITIALLY  ring  = ?? 

VF  UN  h_ I eve  I _segno ( procui  d ? level)  ->  segno? 

{(returns  segment  number  of  level  handler  for  process) 

hiooen; 

INITIALLY  segno  = ?? 

VF  UN  h_ I eve  I _o f f se t ( procui  d?  level)  ->  offset: 

{(returns  segment  offset  of  level  handler  for  process) 

hiooen; 

INITIALLY  offset  = ?? 

VFUN  level _handl er_exec_p t ( level ) (procuidl  ->  exec_pt; 

{(external  form  of  h_  leve l_exec_pt ) 

EXCEPTIONS 

undef ined_l eve  I (procui d,  level)* 

DERIVATION  h_ I e ve I _e xe c_pt ( procuid * level)? 

VFUN  proc_act i vl t y_ I e ve I s ( ) I proc ui d ) ->  act  1 vi ty_l eve  I s ? 

{(external  form  of  h_proc_ac t i v 1 ty_ I eve  I s ) 

OERIV AT  ION  h_proc_act ivity_level s( procuid) ? 

VFUN  h_kst_seg_wired(procuid?  segno)  ->  b? 

{(returns  true  if  segment  wired  by  process) 

HIOOEN? 

INITIALLY  b = FALSE? 

VFUN  h_ks t_seg_used ( procui  d ? segno)  ->  b* 

{(returns  true  if  unpaged  segment  used  by  process) 

HIOOEN? 

INITIALLY  b = FALSE? 

VFUN  h_kst_seg_modi f iedtproculd?  segno)  ->  b? 

{(returns  true  if  unpaged  segment  modified  by  process) 

HIDDEN? 

INITIALLY  b = FALSE? 

OFUN  decrement_seg_lo_count(procuid?  segno)? 

{(decrements  number  of  asynchronous  io  operations  on  segment) 
EFFECTS 

*h_kst_seg_io_count (procui d»  segno)  = 

h_kst_seg_i  o_count  (procuid*  segno)  - 1? 

VFUN  h_kst_seg_io_count ( procuid?  segno)  ->  lo_count? 
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$ (returns  number  of  asynchronous  io  operations  on  segment) 

hioden; 

INITIALLY  io_count  = 0? 

VFUN  h_kst_val ld< procuid?  segno)  ->  b? 

$ (returns  true  if  segment  number  is  valid  for  process) 

HI  ODEN ; 

INITIALLY  b = FALSE? 

VFUN  h_ks t_access_de f i ned ( procui d ? segno)  ->  b? 

$ (returns  true  if  access  defined  to  segment  for  process) 
hiooen; 

INITIALLY  b = FALSE? 


FUN  n_kst_rb ( procui d?  segno)  ->  rb? 

$ (returns  ring  brackets  of  segment  for  process) 
HIOOEN? 

INITIALLY  rb  = ?? 

VFUN  h_ks t_mode ( procui  d ? segno)  ->  mode? 

$ (returns  access  mode  to  segment  for  process) 
HIDDEN? 

INITIALLY  mode  = ?? 


VFUN  h_ks t_segui d ( procuid ? segno) 
$ (returns  seguid  of  assigned 
HIOOEN? 

INITIALLY  seguid  = ?? 


->  seguid? 
segno  for  process) 


VFUN 


h_kst_vo I ui d (procuid?  segno) 
S (returns  voluid  of  assigned 
HIOOEN? 

INITIALLY  voluid  = ?? 


->  voluid? 

segno  for  process) 


VFUN  ks t_vo I ui d ( segno) r procui d 1 ->  voluid? 
$(external  form  of  h_kst_vo  lui d) 
EXCEPTIONS 

inval i d_segno ( procui d*  segno)? 
DERIVATION  h_ks t_vo lui d( procui d * segno)? 

VFUN  kst_seguid( segno) I procuid)  ->  seguid? 
$(external  form  of  h_kst_se gui d) 
EXCEPTIONS 

invalid_segno(procuid»  segno)? 
DERIVATION  h_ks t_se gu i d ( proc ui d « segno)? 


VFUN  kst_mode( segno) I procuid)  ->  mode? 
$(external  form  of  h_kst_mode) 

EXCEPTIONS 

inva 1 i d_segno ( procui d»  segno)? 
unde f i ned_access ( procui d»  segno) ? 
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DERIVATION  h_kst _mode ( procu 1 d,  segno); 

VFUN  kst_rb  (segno  ) [procul  d ] ->  rb| 

$(external  form  of  h_kst_rb) 

EXCEPTIONS 

inval i d_segno{ proculd,  segno); 
undef ined_access ( procul d,  segno) ; 

DERIVATION  h_kst _rb ( pr oc ui  d , segno); 

OFUN  assign_de vno (devoid?  devno) I procul d 1 ? 

$(assigns  a device  number  to  a device  for  process) 

EXCEPTIONS 

devno_in_use ( procul d,  devno); 
no_device (proculd,  devuid)? 
devi ce_in_use( devui  d) * 

EFFECTS 

* h_kd t_va ) 1 d ( procul  d»  devno)  = TRUE? 

*h_kdt_devuid(procuid,  devno)  = devuid* 

* h_kdt_access_de f 1 ned( procul  d,  devno)  = FALSE? 
*h_kdt_dev_used(procuid,  devno)  = FALSE? 

* h_kdt_dev_modl f 1 ed ( procu i d,  devno)  = FALSE? 

EFFECTS_OF  ass  1 gn_d evl ce ( proculd , devuid,  devno); 

OFUN  release_devno(devno) [proculd]? 

$(releases  a device  number  for  a process) 

EXCEPTIONS 

inva I i d_devno ( procul d»  devno)? 
dev ice_ac t 1 ve ( procul d,  devno)? 

EFFECTS 

*h_kdt_val id(procul d,  devno)  = FALSE? 

EFFECTS_OF  r e I ease_de v 1 ce ( h_k dt_de vul d ( proc ui d , devno))? 

OVFUN  give_devlce_access( devno  ? mode?  rb?  I eve \ ) [ procui d]  ->  glven.modeJ 
$ ( g Ives  a process  access  to  a device  and  returns  given  mode) 
DEFINITIONS 

device_ui d devuid  IS  h_kdt_devui d (proculd,  devno)? 
access_l eve  I al  IS  h_dev_a I ( devui d) ? 

BOOLEAN  trusted  IS  h_proc_trusted (procui d) ? 

BOOLEAN  rw  IS  h_read_wri te_a I I o*ed ( t rusted , h_proc_a I ( procul d)  , 

al)  ? 

access_mode  max_mode  IS  VECTOR  (rw,  rw,  trusted)? 

EXCEPTIONS 

inva  1 1 d_de  v 1 ce_r  in  g_b  rackets!  rb)  ? 
undef 1 ned_ I eve  I ( procul d,  level)? 
inva 1 1 d_devno (proculd , devno)? 
no_devlce (proculd,  devuid)? 

EFFECTS 

gi ven_mode  = VECTOR  (FOR  1 FROM  1 TO  3 I 

mode ( 1 ) AND  max_mode  Til)? 

* h_kdt_mode ( procul d,  devno)  = given_mode? 

*h_kdt_rb (proculd,  devno)  = rb? 
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* h_Kdt_l eve  I ( procui d,  devno)  = level; 

*h_kdt_access_def ined ( procui d,  devno)  = TRUE; 

OF UN  revoke_device_access { devuid) t procui dl ; 

S (revokes  access  to  device 

forces  access  to  be  recomputed) 

EXCEPTIONS 

no_device(procuid,  devuid); 

writ e_not_a I lowedtprocuid,  h dev  al(devuid)); 

EFFECTS 

h_d ev_l ni 1 1 a ted ( de vui d ) => 

* h_kdt_acc ess_de 1 ine  d ( h _d  e v_ init iatorfdevui d) * 

h_dev_devno(devuid) ) = FALSE; 

OVFUN  sync_device_read( devno;  opcode > [procui d)  ->  word; 

$ (reads  a word  from  a device  synchronously) 

DEFINITIONS 

r ing_number  ring  IS  h_proc_ring( procuid)  ; 
devlce_ul d devuid  IS  h_kdt_devui d( proculd*  devno); 
EXCEPTIONS 

i nva I i d_de vno ( proc ui d»  devno); 

no_devl ce ( procuidt  devuid); 

unde fined_device_access( procui d,  devno) ; 

inva I i d_de vi ce_read (proculd*  ring,  devuid,  devno,  opcode); 
EFFECTS 

word  = h_dev_conten ts ( dev uld) ; 

•h_kdt_dev_used(procuid,  devno)  = TRUE; 

OFUN  sync_device_wri te (devno;  opcode;  word) [ procui dl ; 

$(wrltes  a word  to  device  synchronously) 

DEFINITIONS 

ring_number  ring  IS  h_proc_r i ng( procui d ) ; 
device_uid  devuid  IS  h_kdt_devui d ( procui d,  devno); 

EXCEPTIONS 

1 nval i d_devno ( procui d,  devno); 

no_device (procuid,  devuid); 

undef ined_device_access(procuid,  devno) ; 

inva I i d_de vi ce_wr i te ( proc ui d,  ring*  devuid,  devno,  opcode); 

EFFECTS 

EFFECTS_OF  wr i t e_de v ice ( d e vu i d , word); 

*h_kdt_dev_used (procui d,  devno)  a TRUE* 

*h_kdt_dev_modi f ied (procuid,  devno)  = TRUE? 

OFUN  c onnec  t_device_r ead (devno;  segno;  offset;  range ) [proc uid ) ; 

$ (starts  an  asynchronous  read  operation  from  a device) 
DEFINITIONS 

r ing_number  ring  IS  h_proc_r ing(procuid) ; 

Jevice_ui d devuid  IS  h_kdt_de vui d( procuid,  devno); 
segment_uid  seguid  IS  h_ks t_s eguld ( procui d,  segno); 
volume_uld  voluld  IS  h_ks t_vo I ui d ( procui d,  segno); 
oage_number  pageno  IS  (offset  ♦ page_size) /pa ge_si ze ; 
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EXCEPTIONS 

inva  I i d_de  vno  ( procui  d*  devno); 

no_devlce(procuid*  devuid); 

unde f 1 ned_de vlce_access ( procui d*  devno) * 

no_device_read_permiss 1 on ( procui d»  ring*  devno)? 

device_act i ve(procui d*  devno); 

invalid_segno(procuid*  segno); 

unmounted_vo I ume (proculd*  voluid)? 

no_segment ( procuid*  seguid)? 

undefined_access (procuid*  segno) ? 

segment_not_wired(proculd»  segno) ? 

max_i  o_operat  i ons  ( procui d , segno ) ? 

inval i d_memory_l imi ts( procui d*  devuid*  seguid,  offset,  range)? 
no_wri te_memory_permission ( procuid , devuid,  ring*  segno)? 
EFFECTS 

EFFECTS_OF  set_device_act ive (devuid)? 

* h_kdt _dev_used ( procui d*  devno)  = TRUE? 

*h_kst_seg_io_count ( procui d,  segno)  = 

h_kst_se g_lo_count ( procui d*  segno)  ♦ l? 

IF  h_dev_map_type ( devui d)  = mapped 
THEN  * h_kdt_segno(procuid,  devno)  = segno  AND 
• h_kdt_ring( procuid*  devno)  = ring 
ELSE  IF  h_seg_paged ( segui d ) 

THEN  EFFECTS_OF  se t _p age_ in d i cat ors ( se gu i d»  pageno) 

ELSE  *h_kst_seg_used  (procuid*  segno)  = TRUE  AND 
• h_kst_se g_modi f ied(procuid*  segno)  = TRUE? 


OF  UN 


async_device_read(devuid»  segno?  offset)? 

$ (asynchronous! y read  a word  from  mapped  device  to  segment) 
DEFINITIONS 


process_uid  procuid  IS  h_de v_i ni t i ator ( devui d ) ? 
device_number  devno  IS  h_dev_devno (devuid) ? 
ring_number  ring  IS  h_kdt_ring (procui d,  devno)? 
segment_uld  seguid  IS  h_ks t_seguid (procuid*  segno)? 
EXCEPTIONS 


device_not_active(devuld) ? 

inva I i d_segment_re ference ( procui d*  devno*  segno)? 
no_write_permission(procuid»  ring*  segno)? 
out_o f_bounds ( procui d*  segno*  offset)? 

EFFECTS 

EFFECTS_OF  wr i t e_se g ( se gn o « offset*  h_dev_con t en ts ( devui d) 

proc  ui d) ? 

“h_seg_paged (segu id ) - > 

*h_kst_seg_used(procuid»  segno)  = TRUE  AND 
’ h_kst_se g_modi fi ed( procuid*  segno)  = TRUE? 


t 


OFUN  c onnec t_dev i ce_wr i te ( devno?  segno?  offset?  range )( pro cui d 1 ? 
{(starts  an  asynchronous  write  operation  to  a device) 
DEFINITIONS 

ring_number  ring  IS  h_proc_ring( procuid) ? 
device_uid  devuid  IS  h_kd t_devui d ( procui d,  devno)? 
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OFUN 


segment_uld  seguid  IS  h_Ks t_segui d (procul d , segno)? 
volume_uid  voluid  IS  h_ks t_vol ul d ( procul d»  segno)? 
odge_number  pageno  is  (offset  page  slze)/page  size? 

EXCEPTIONS  “ ” ’ 

inva 1 1 d_devno ( procul d,  devno) ? 
no_devlce (proculd,  devuld) ? 
unde f 1 ned_devl ce_access (procul dt  devno) ? 
no_devlce_wrlte_permlsslon (proculd,  ring,  devno)? 
devl ce_act 1 ve ( procul d,  devno); 

Inva I id_segno( proculd,  segno); 
unmoun ted_vo lume (proculd,  vol uld) ? 
no_segment  (proculd,  seguid)? 
undef ined_access (proculd,  segno) ; 
segment_not_wlred(proculd , segno) ? 
max_io_operat 1 ons ( proculd , segno) ? 

Invali d_mem or y_limits( proculd,  devuld,  seguid,  offset,  range)? 
no_read_memory_permisslon ( procul d,  devuld,  ring,  segno)? 

EFFECTS 

EFFECTS_OF  set_devlce_act 1 ve (devuld) ? 

*h_kdt_dev_used (procul d,  devno)  = TRUE? 

| n_k dt_de v_modl f led ( pr ocu 1 d,  devno)  = TRUE? 

*h_kst_seg_i o_count (procul d,  segno)  = 

^_kst_seg_lo_count ( procul d,  segno)  ♦ i? 
n_de v_map_t ype (devuld)  = mapped 
THEN  * h_kdt_segno ( procul d , devno)  = segno  AND 
* h_kdt_ring(  proculd,  devno)  = ring 
ELSE  IF  h_seg_paged (segui d) 

THEN  EFFECTS_OF  set_page_used_lndi cat or ( segui d , pageno) 

ELSE  * h_kst_se  g_used  ( procul  d,  segno)  = TRUE? 

async_device_wrl te (devuld?  segno?  offset)? 

nilr)'?^ronOUS,y  write  a "ord  to  mapped  device  from  segment) 
DEFINITIONS 

orocess_uid  proculd  IS  h_dev_ lnl t iator ( devul d ) ? 
devi ce_number  devno  IS  h_dev_devno (devuld) ? 
ring_number  ring  IS  h_kdt_ring (procul d,  devno)? 
segment_uld  seguid  IS  h_ks t_seguld (proculd,  segno)? 

EXCEPTIONS 

device_not_act 1 ve (devuld)  ? 

inva 1 1 d_segmen t_ref erence ( procul d,  devno,  segno); 
no_read_permlssion (procul  d,  ring,  segno)? 
out_of_bounds(proculd,  segno,  offset)? 

effects 

EFFECTS.OF  wrl t e_devlce (d  evui d , EFFECTS_OF  read.seg ( segno,  offset. 


~)'_seg_paged(seguid)  => 

* b_ks  t_se  g_used  ( proc  ul  d. 


proculd) ) 


segno)  = TRUE? 


VFUN  h_kdt_va I Id (proculd?  devno)  ->  b? 

S (returns  true  if  device  number  valid  for  process) 
HIDOEN? 
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INITIALLY  b = FALSE? 

VFUN  h_kdt_devui d ( procui d ? devno)  ->  devuld; 

{{returns  devuld  of  assigned  devno  for  process) 

hiooen; 

INITIALLY  devuld  = ?; 

VFUN  h_kdt_mode( procuid?  devno)  ->  mode; 

$ (returns  access  mode  to  device  for  process) 

hidden; 

INITIALLY  mode  = ?; 

VFUN  h_kdt_rb (procui d ? devno)  ->  rb ; 

$ (returns  ring  brackets  of  device  for  process) 

HIDDEN? 

INITIALLY  rb  = ?? 

OF UN  reset_devlce_used_lndlcator (devuld) ; 

{(resets  local  device  used  indicator) 

EFFECTS 

*h_kdt_dev_used (h_dev_lni tlator(devuid) , 

h_dev_devno(devuid) ) = FALSE? 

OFUN  reset_devlce_modl fied_lndlcator (devuld) ? 

{(resets  local  device  modified  Indicator) 

EFFECTS 

*h_kdt_dev_modifled( h_dev_ln 1 tlator(devuld) « 

h_dev_devno( de vui  d) ) = FALSE? 

VFUN  h_kdt_dev_used ( procui d?  devno)  ->  b? 

{(returns  true  if  device  used  by  process) 

HIDDEN? 

INITIALLY  b = FALSE? 

VFUN  h_kdt_dev_mod 1 f 1 ed ( procui d?  devno)  ->  b? 

{(returns  true  if  device  modified  by  process) 

HIDOEN? 

INITIALLY  b = FALSE? 

VFUN  h_kdt_| evel (procui d?  devno)  ->  level? 

{(returns  level  of  device  handler  for  process) 

HIDDEN? 

INITIALLY  level  = ?? 

VFUN  h_kdt_se gno ( procui d?  devno)  ->  segno? 

{(returns  segment  number  being  used  by  device) 

HIDDEN? 

INITIALLY  segno  =?? 

VFUN  h_kdt_r ing( procui d?  devno)  ->  eff_ring* 

{(returns  effective  ring  for  mediation  of  device  asynchronous  lo) 
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hidden; 

INITIALLY  eff.ring  = ?? 

VFUN  kdt_devul d( devno) t procul d ] ->  devuld? 

$ (externa!  form  of  h_kdt_de vui d) 

EXCEPTIONS 

inva 1 1 d_devno ( procul d*  devno); 

DERIVATION  h_kdt_devui d( procul d*  devno)? 

VFUN  kdt_mode ( devno) C procul dl  ->  mode? 

$ (external  form  of  h_kdt_mode) 

EXCEPTIONS 

Inval id_devno( proculd*  devno); 
undefined_device_access(proculd*  devno) * 

DERIVATION  h_kdt_mode ( procul d*  devno)? 

VFUN  kdt_rb (devno) Iprocuid ) ->  rb? 

Kexternal  form  of  h_kdt_rb) 

EXCEPTIONS 

inva I i d_devno( procui d,  devno); 

undef ined_devlce_access (procul d*  devno) ? 

DERIVATION  h_kd t_rb ( procul d * devno)? 

VFUN  kdt_l e ve 1 (devno) I proculd ] ->  level? 

$(external  form  of  h_kdt_level) 

EXCEPTIONS 

invalid_devno(proculd*  devno); 

undef ined_device_access(proculd*  devno) ? 

DERIVATION  h_kdt _ I eve  I ( proc ui d * devno)? 

OFUN  set_trap_hand 1 er ( trapno?  exec_pt?  save_area) t procui dl ? 

$ (establ ishes  trap  handler  and  save  area  for  process) 

EXCEPTIONS 

lnner_r lng_hand I er( procul d * exec_pt .r Ing) ? 
existing_trap_handl er(procuid»  trapno*  exec_pt  .ring ) ? 
inva II d_segno (proculd*  ex ec_p t. segno) ? 

1 nval 1 d_segno( procul d*  save_area. segno) ? 

EFFECTS 

• h_trap_handl er_exlsts (proculd*  trapno)  = TRUE? 

* h_trap_ring(procul d,  trapno)  = exec_pt.r ing? 
*h_trap_segno(proculd*  trapno)  = exec_pt. segno? 

• h_trap_of f set (proculd*  trapno)  = exec_pt . o f f set ? 

• h_trap_save_segno( procui d*  trapno)  = save_area. segno? 

* h_trap_save_o f f set ( proculd*  trapno)  = save_area.of f set? 

OFUN  trapttrapno?  trap_lnfo) Iprocuid 1 ? 

$(lnitiates  trap  handler  for  process) 

DEFINITIONS 

rlng_number  IS  h_trap_r Ing (proculd » trapno)? 
segment_number  segno  IS  h_trap_save_segno ( proculd*  trapno)? 
segment_of f set  offset  IS  h_trap_save_of f set (procul d * trapno)? 
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vol  ume_uld  voluid  IS  h_ks t_vo I ui d ( procui  d,  segno)^ 
segment_uld  seguid  IS  h_kst_seguld(oroculd*  segno): 
EXCEPTIONS 

no_trap_handler (procuid*  trapno)  ? 

inva I i d_segno ( procui  d*  segno)? 

ur.moun  ted_vo  I u me  ( procuid,  voluid)  ♦ 

no_segment (procuid*  voluid*  seguid)? 

undefir, ed_access  (procuid,  segno)  ? 

no  wri te_perml ssl on ( procui d*  ring*  segno) » 

out_of_bounds(procuid,  segno,  offset  ♦ LENGTH ( trap.lnfo) ) ? 


EFFECTS 
* h_trap 
FORALL 
EFFEC 

• h_trap 

• h_proc 
• h_proc 
• h_proc 
“h_seg_ 

• h 

• h 


i_depth (procuid*  trapno)  = h_trap_depth ( procu i d,  trapno)  ♦ 1? 
I i j,  <=  l AND  i <=  LENGTH  ( trap_in f o ) t 
TS_0F  wri  te_seg  (segno*  offset  4-1-1*  trap_lnf  ot  i 1 * 

procuid) ? 

, save  of fsetlprocuid,  trapno)  = h_trap_save_o f f setlprocuid, 

trapno)  ♦ LENGTH (trap_ln fo) ? 

_ring(proculd)  = h_trap_ring(procuid,  trapno)? 

_segno( procuid)  = h_trap_segno (procuid » trapno)? 

_of f set (procuid)  = h_trap_of f set (procui d,  trapno)? 
paged(seguid)  => 

,_Kst_seg_used  ( proc  ui  d » segno)  = TRUE  ANO^ 

_kst_seg_modi fled( procuid,  segno)  = TRUE? 


OFUN 


return_f rom_trap ( trapno?  re turn_exec_pt ? trap_info) t procuid) * 
$ (returns  from  trap  handler  for  process) 

EXCEPTIONS 

no_trap_handl er (procuid*  trapno) ? 
no_trap_outstandlng ( procuid,  trapno)? 
inward_return( procuid*  return_exec_pt .ring) ? 


EFFECTS 

* h_trap_depth (procu 

* h_trap_save_o  f f set 

* h_proc_r ing(procui 
*h_proc_segno( procu 
*h_proc_of  f set (proc 


id,  trapno)  = h_trap_dep  th  ( procu  1 d* 
(procuid,  trapno)  = h_trap_save_of f 

trapno)  - LENGT 
d)  = r eturn_exec_pt.ring? 
id)  - return_exec_pt .segno? 
uld)  = return_exec_pt .o f f se t? 


trapno)  - 1? 
set (procuid, 
H(trap_in  fo) * 


VFUN  h_trap_handler_exists (procuid?  trapno)  ->  b? 

$ (returns  true  if  trap  handler  exists  for  process) 
HIDDEN? 

INITIALLY  b = FALSE? 

VFUN  h_t rap_depth ( procuid ? trapno)  ->  n? 

tlreturns  number  of  unprocessed  traps  for  process) 

HIDDEN? 

INITIALLY  n = 0? 


VFUN 


h trap  exec_pt  ( procui  d?  trapno)  ->  exec_pt? 

$Treturns  execution  point  of  trap  handler  for  process) 

HIDDEN? 
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OERIvATION  <h_trap_ring(proculd*  trapno) , h_tra p_segno (procul d* 
trapno) « h_trap_of fset (procuid*  trapno)>; 

VFUN  h_t rap_rlng ( procul  d;  trapno)  ->  ring? 

$ (returns  effective  ring  of  trap  handler  for  process) 

hiooen; 

INITIALLY  ring  = ?* 

VFUN  h_trap_segno (procuid;  trapno)  ->  segno* 

$ (returns  segment  number  of  trap  handler  for  process) 

hidden; 

INITIALLY  segno  = ?; 

VFUN  h_trap_of fset (procuid;  trapno)  ->  offset; 

$ (returns  segment  offset  of  trap  handler  for  process) 

hioden; 

INITIALLY  offset  = ?; 

VFUN  h_trap_save_area (procuid;  trapno)  ->  save_area? 

{(returns  trap  save  area  for  process) 
hidden; 

DERIVATION  <h_trap_save_segno(procui d«  trapno)* 

h_trap_save__of f set (procuid*  trapno) >; 

VFUN  h_trap_save_segno(procuid*  trapno)  ->  segno; 

{(returns  segment  number  of  trap  save  area  for  process) 

hiooen; 

INITIALLY  segno  = ?; 

VFUN  h_t rap_save_of f set ( procuid;  trapno)  ->  offset; 

{(returns  segment  offset  of  trap  save  area  for  process) 
hioden; 

INITIALLY  offset  = ?; 

VFUN  t rap_hand I er_exec_pt ( trapno) [ procuid 1 ->  exec_pt; 

{(external  form  of  h_trap_exec  pt) 

EXCEPTIONS 

no_trap_hand I er ( procul d*  trapno) ; 

OERIVATION  h_trap_exec_pt (procuid*  trapno); 

VFUN  trap_save_area(trapno) IprocuidJ  ->  save.area? 

{(external  form  of  h_trap_s «ve_area) 

EXCEPTIONS 

no_trap_handl er (procuid*  trapno) ; 

DERIVATION  h_trap_save_area (procul d.  trapno); 

OFUN  set_l evel_handl er ( level ; exec_pt )( procuid) ; 

{(establishes  level  handler  for  process) 

EXCEPTIONS 

inner_ring_handl er( procuid*  exec_pt.r ing) ; 

exist  ing_l  eve  l_handl  er  (procul  d*  level*  exec_.pt  .ring  ) ; 
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inva I 1 d_se gno ( procui d*  exec_ot «segno) ? 

EFFECTS 

•h_  leve l_handl er_exlsts (procui d*  level)  = TRUE? 

• h_ leve l_rlng ( procui d»  level)  = exec_pt .ring? 

*h_ I eve I _se gno ( proc ul d*  level)  ~ exec_pt« se gno ? 

*h_ leve l_o f f set ( procui d*  level)  = exec.pt. of f set ? 

OFUN  set_l eve  I (procui d?  level?  b)? 

$(sets  level  activity  flag  for  process) 

EFFECTS 

'h.proc.actlvity.l evel s (procuid)  s VECTOR  (FOR  i FROM  l 

TO  pl_size  * 

IF  i = level  THEN  b ELSE  h_proc_act ivi ty_ I evel s ( procui d) ( i 1 ) ? 


OFUN 


di spatch_ level ( procui  d ) ? 

$(dispatches  highest  priority  active  level  for  process) 

DEFINITIONS  , 

INTEGER  level  IS  MIN(1  I h_proc_act ivi ty.l e ve I s(procui d) l 1 

EFFECTS 

• h_proc_ring( procui d)  = h_level_ring(proculd*  level)* 

• h_proc_se gno ( procui d)  = h_level_segno(proculd,  level)? 
*h_proc_of fset (procuid)  = h_l evel_off set (procuid,  level)? 
•h_proc_l evel (procui d)  = level? 


1 ) 


OFUN  change_leve I (procuid) ? 

{(changes  activity  level  for  process) 

DEFINITIONS 

INTEGER  cur_! eve  I IS  h.proc.level (procuid) ? 

EFFECTS 

*h_level_rlng(procuid*  cur.level)  = h_proc_r i ng ( procui d ) ? 

*h_ leve l_segno( procui d*  cur_level)  = h.proc.segno(procuid)  » 
*h_l eve l_o f fset (procui d*  cur_level)  = h_proc_o f f set (procuid) ? 
EFFECTS_OF  dispatch_level (procuid) ? 

OFUN  modi f y_actlvi ty_level (level ? b)Iprocuidl? 

$(modifies  activity  level  indicator  for  process) 

EXCEPTIONS 

undef ined_l eve  I (procuid,  level)? 

EFFECTS 

EFFECTS_OF  set _ I eve  I ( proc uld « level*  b) ? 

OFUN  levdevel?  b)Cprocuidl? 

Jdnitlates  level  change  for  process) 

EXCEPTIONS 

undef ined_l eve  I (procuid*  level)? 

EFFECTS 

EFFECTS_OF  set_l eve  I (procuid*  level*  TRUE)? 
b =>  EFFECTS  OF  se t_ I evel ( procui d*  h_proc_l eve  I ( procui d) * 

FALSE) ? 

EFFECTS_OF  change.! eve  I (procui d) ? 
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MODULE  host_inter faces 


TYPES 

level _number  * CINTEGER  In  « 0 <=  In  AND  In  <=  max_ln>? 
category.set  x CVECTOR_OF  BOOLEAN  cs  : LENGTH(cs)  = cs_size>? 
sec ur i t y_ I e ve I x STRUCT  ( I e ve I _n ember  sin? 

category_set  scs)? 
in t e gr i t y_ I eve ! x STRUCT  ( I ev e I .number  iln? 

category_set  ics)? 

access_level  X STRUCT  ( securi ty_ 1 eve  I si? 

in tegr 1 ty_ leve  I I I > ? 

process_uid  X INTEGER* 
volume_uid  X INTEGER? 
segment_uid  x INTEGER? 

ring_number  x CINTEGER  rn  t o <=  rn  AND  rn  <=  max_ring>? 
ri ng_brackets  x CVECTOR_OF  rlng_number  rb  x LENGTH (rb)  = 3>? 
se  gmen  t_number  x CINTEGER  sn  X 0 <=  sn  AND  sn  <-  max_segno>? 
devlce_number  x CINTEGER  dn  x 0 <=  dn  ANO  dn  <=  max_devno>? 
segment_of f set  I CINTEGER  so  t 0 <=  so  AND  so  <=  max_offsetI? 
access_mode  I CVECT0R_OF  BOOLEAN  am  I LENGTH (am)  = 3>? 

segmental ength  x CINTEGER  length  X 1 <=  length  AND  length  <=  max_offset 

♦ IT? 

machine_word  I INTEGER? 

de vl ce_con tro I _da t a x VECTOR_OF  mach 1 ne_word ? 
device_status_data  x VECT0R_0F  machi ne.word? 
message  x INTEGER? 

message_queue  x VECT0R_0F  message? 


DECLARATIONS 

process_uid  procuid? 
volume_uid  voluld? 
segment_uid  seguid? 
ning_number  ring? 
ri ng_brackets  rb? 
se gment_numb er  segno? 
de vice_number  devno? 
se gmen t_o f f se t offset? 
access.mode  mode? 
segment_l ength  length,  range? 
machine_word  word? 

device_control_data  dev_control _data? 
device_status_data  dev_status_da  ta? 
message  msg? 

message_queue  msg_queue? 
access. I eve  I a I ? 

BOOLEAN  bt 
INT  GER  i ? 
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PARAMETERS 

INTEGER  ma  x_h  os  t .messages  {(maximum  size  of  host  message  queue); 
de vi ce_contro t _dat a ini t.device.control.data  {(Initial  control  data)* 


DEFINITIONS 


BOOLEAN  unmounted.vol ume(proculd?  voluid)  IS 
IF  “h.vo l.mounted ( voluid)  THEN  TRUE 

ELSE  "h.read.a I I owed ( h.proc.trus  t ed ( procul d ) t h_proc_al (procui d) , 

h.vol.min.al (voluid) ) ; 

BOOLEAN  no_segment (proculd?  voluid?  seguid)  IS 

~h_seg_exists(voluid,  seguid)  THEN  TRUE 
ELSE  "h.read.al lowed! h_proc_ trusted ( procui d ) « h_proc_a I ( procul d) t 

h_seg_visibi 1 lty_al (seguid) ) ? 


BOOLEAN  inval i d.devno ( procuid ? devno)  IS 
'h.kdt.va  I id(proculdt  devno); 

BOOLEAN  inval 1 d.segno ( procuid ? segno!  IS 
”h_kst_va I ld( procul dt  segno); 


BOOLEAN  undef i ned_access ( proc ul d ; segno)  IS 

h_ks t_access_def 1 ned ( procul d « se gno ) ? 


BOOLEAN  no_read_permlsslon(proculd?  ring?  segno)  IS 
“ (h.kst.mode (procui d*  segno) 111  AND 

ring  <=  h_kst_rb (proc uid»  segno)f2))? 


BOOLEAN  no_write_permlssion(procuid?  ring?  segno)  IS 
” ( h_ks t_mode (proculd*  segno) 121  AND 

ring  <=  h_ks t_r b ( proc ui d»  segno)! 1])? 


BOOLEAN  out_o f_bounds (procuid ? segno?  offset)  IS 

offset  >=  h.seg. I engt  h( h.ks  t_se  gui d( procui d»  segno))? 

BOOLEAN  message_pending( procuid?  devno)  IS 

h_host_msg_output_pending(procuidt  devno) ? 


BOOLEAN  no_message_ready (procuid?  devno)  IS 

h_host.msg_input.pend ing ( procui d*  devno) ? 

BOOLEAN  max_messages(procuid?  devno)  IS 

LFNGT H ( h_hos t _ms g_queue ( proc ui d » devno))  = max_hos t.messages ? 

BOOLEAN  int errupt_pendi ng ( procui d ? devno)  IS 

h_hos t_s i gnal .pending ( procui d v devno) ? 


A-59 


SCO  HP  KERNEL  SPECIFICATION  - 2/14/77 

Rev  B - 5/25/77 


DS  34028917 


EXTERNALREFS 
FROM  access_l eve  I s t 

level_number  max_ln  JOnaxlmum  level  number)* 

INTEGER  cs_size  $(category  set  size) ‘ 

VFUN  h_read_al I owed(b?  a I ; a I > ->  b? 

VFUN  h_wr 1 te_a I I owed ( b * ai;  al)  ->  b? 

FROM  processes  t 

VFUN  h_proc_a I (procui  d)  ->  a I ? 

VFUN  h_proc_trus ted ( procul  d ) ->  b; 

FROM  volumes  * 

VFUN  h_vo I _mln_a I ( vo I uld ) - > al? 

VFUN  h_vol_mounted(voluid)  ->  b? 

FROM  segments  * 

segment_of f set  max_otfset  $(maxlmum  segment  offset)? 
VFUN  h_seg_exlsts(vol  uid?  seguld)  ->  b? 

VFUN  h_seg_vlslo 1 1 lty_al (seguld)  ->  al? 

VFUN  h_seg_l engt h ( seguld)  ->  length? 

FROM  address_spaces  : 

ring_number  max_rlng  $(maximum  ring  number)? 
segment_number  max_segno  $(maximum  segment  number)? 
device_number  max_devno  $(maximum  device  number): 
VFUN  h_kdt_va I id ( procuid ? devno)  ->  b? 

VFUN  h_kst_va1 idfprocuid?  segno)  ->  b? 

VFUN  h_kst_access_def lned(proculd*  segno)  -»  b? 

VFUN  h_kst_mode ( procul d?  segno)  ->  mode? 

VFUN  h_kst_rb (procuid?  segno)  ->  rb? 

0 VFUN  read_seg( segno?  of f se t ) f procul d 1 ->  word? 

0 FUN  writ  e~seg ( segno  ? offset?  word) I procul d) ? 


FUNCTIONS 

OFUN  send_message ( se 3no?  offset?  range?  devno) [ procu i dl  ? 

$(sends  data  message  associated  with  device  devno  to  host  process) 
DEFINITIONS 

ring_number  IS  h_proc_ring (procuid) ? 

volume_uld  voluid  IS  h_ks t_vol ui d ( procul d»  segno)? 

segment_uld  seguld  IS  h_ks t_s eguid ( procul d*  segno)? 

EXCEPTIONS 

lnva 1 1 d_devno ( procul d»  devno)? 
lnva 1 1 d_segno( procul d*  segno)? 
unmounted_volume(proculd*  voluid) ? 
no_segnent (procuid,  voluid*  seguld): 
und ef 1 ned_access ( procuid*  segno) ? 
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no_read_permission(procul  d«  ring,  segno); 
out_of_bounds(procuid»  segno*  offset  «•  range); 
message_pendlng(procuid,  devno); 

EFFECTS 

*h_host_msg_output_pending (procuid*  devno)  = TRUE; 

* h_host_msg_output_segno( procuid » devno)  = segno; 
*h_host_msg_output_offset(procuid*  devno)  = offset; 
*h_host_msg_output_length(procuid*  devno)  = range; 

OFUN  recei ve_message ( segno ? offset?  devno) [procui d] ? 

$(recelves  data  message  associated  with  device  devno  from  host) 
DEFINITIONS 

ring_number  IS  h_proc_r ing (procuid ) ? 

vol ume_ul d voluid  IS  h_kst_volui d{ procuid*  segno)? 

segment_uid  seguid  IS  h_kst_seguid(proculd*  segno)? 

EXCEPTIONS 

inva)id_devno(procuid»  devno)* 
lnvalid_segno(procuid»  segno)* 
unmoun ted_vo I ume ( procui d*  voluid) ? 
no_segment (procuid*  voluid*  seguid)? 
undef ined_access(procuid*  segno) ? 
no_wri te_permi sslon ( procui d*  ring*  segno); 

out_of_bounds( procuid*  segno*  offset  ♦ h_host_msg_i nput_ I en sth( 

procui d,  devno) ) ; 

no_message_ready ( procui d*  devno) ? 

EFFECTS 

*h_host_msg_input_segno(procui d»  devno)  = segno? 
*h_host_msg_input_of f set(proculd»  devno)  = offset? 

OFUN  read_control_data (segno?  offset*  devno) ( procui d ] ? 

Ktransfers  device  control  data  from  host  process) 

DEFINITIONS 

ring_number  IS  h_proc_rlng (procuid) ? 

volume_uid  voluid  IS  h_kst_vol ui d (procuid*  segno)? 

segment_uid  seguid  IS  h_kst_seguid (procuid*  segno)? 

EXCEPTIONS 

inval i d_devno( procui d»  devno)* 
invalid_segno(proculd*  segno)? 
unmounted_vol ume (procuid*  voluid) ? 
no_segment (procuid*  voluid*  seguid)? 
undef 1 ned_access ( procuid*  segno) ? 
no_wri te_permi ssion(procul d*  ring*  segno)? 

out_of_bounds(procuid*  segno*  offset  ♦ LENGTH ( h_hos  t_contro l_data ( 

procuid*  devno))? 

EFFECTS 

FOR  1 FROM  i TO  LENG TH ( h_hos  t__cont  ro  l_da  ta (procuid*  devno))  » 
EFFECTS_OF  wr i te_se g ( segno  * offset  - 1 ♦ i* 

h_host_contro l_data( procuid*  devno) (11*  procuid)? 

OFUN  writ e_s ta tus_dat a ( segno?  offset?  range?  devno )( procui d 1 ? 

$ ( transf ers  device  status  data  to  host  process) 
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DEFINITIONS 

rlng_number  IS  h_proc_r in  g ( procui d ) » 

volume_uld  voluid  IS  h_kst_vol ui d( proculd,  segno); 

segment_uid  seguld  IS  h_kst_seguid (proculd,  segno)* 

EXCEPTIONS 

Inval i d_devno ( procui d,  devno)? 

lnva I i d_se  gno ( proculd*  segno)* 

unmoun t ed_vo I urn e( proculd,  voluid) * 

no_segment (proculd*  voluid*  seguld)* 

undef ined_access (proculd,  segno) * 

no_read_perml ss 1 on ( procui d»  ring,  segno); 

out_o f_bounds ( proculd,  segno*  offset  ♦ range); 

EFFECTS 

• h_hos t_s t a tus„dat a ( procui d*  devno)  = VECTOR  (FOR  1 FROM  1 

TO  range  * 

EFFEC  TS_OF  read_seg(  segno,  offset  -1  + 1,  proculd)); 

OFUN  send_wakeup (devno;  msg) tprocul d] ; 

{(sends  wakeup  message  to  host  process  associated  with  device  devno) 
EXCEPTIONS 

invali d_devno(proculd,  devno); 
max_messages(procuid»  devno); 

DEFINITIONS 

INTEGER  n IS  LENGTH ( h_hos t_ms g_queue ( procui d,  devno)); 

EFFECTS 

* h_hos t_msg_queue ( procui d » devno)  — VECTOR  (FOR  1 FROM  1 TO  n+1  t 
IF  i <=  n THEN  h_hos t_»sg_queue (proculd,  devno) til  ELSE  msg); 

OFUN  send_host_sl gna I ( devno) l proculd) ; 

$(sends  Interrupt  to  host  process  associated  with  device  devno) 
EXCEPTIONS 

1 nva 1 1 d_devno ( procu 1 d,  devno); 

1 nterrupt_pendl ng ( procui d,  devno) ; 

EFFECTS 

* h_host_s 1 gna I _pendi ng ( procui d , devno)  = TRUE; 

VF UN  h_host_msg_output_pend ing (procui d;  devno)  ->  b; 

$ (returns  true  If  process  has  data  message  to  host  pending) 

hidoen; 

INITIALLY  b = FALSE; 


VFUN  h_host_msg_output_se gno( procui d?  devno)  ->  segno; 

$(returns  segment  number  of  process  data  message  to  host) 

hidden; 

INITIALLY  segno  = ?; 


VFUN  h_host_msg_output_of f set ( procui d ; devno) 
{(returns  offset  of  process  data  message 

hidden; 

INITIALLY  offset  = ?; 


->  offset; 
to  hos  t ) 
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VFUN  h_hos  t_msg_output_l en  gtn (procul d?  devno)  ->  length? 

$(returns  length  of  process  data  message  to  host) 

HIODEN? 

INITIALLY  length  = ?? 

VFUN  h_host_msg_input_pendlng(procuid?  devno)  ->  b? 

HI00EN?nS  trU€  U Pr°cess  has  data  message  from  host  pending) 
INITIALLY  b = FALSE? 

VFUN  h_host_msg_lnput_segn  o( procul d?  devno)  ->  segno? 

$ (returns  segment  number  of  process  data  message  from  host) 

H I ODEN ? 

INITIALLY  segno  = ?? 

VFUN  h_host_msg_lnput_of  f set (procul d? 

$ (returns  offset  of  process  data 

HIODEN? 

INITIALLY  offset  = ?? 

VFUN  h_host_msg_input_l eng th( procul d? 

$(returns  length  of  process  data 

HIODEN? 

INITIALLY  length  = ?? 

VFUN  h_host_contro I _data (procul d?  devno)  -»  dev  control _da ta? 

$ (r eturns  device  control  data  from  host  memory) 

HIODEN? 

INITIALLY  dev_contro I _data  = In  1 t_de vice_cont ro I _data ? 

VFUN  h_host_status_data (procui d?  devno)  ->  dev_status_data ? 
t ( returns  device  status  data  from  host  memory) 

HIOOEN? 

INITIALLY  dev_status_data  = VECTOR  ()? 

VFUN  h_host_msg_queue ( proc ul d ? devno)  ->  msg_queue? 

S (returns  contents  of  process  message  queue  for  host) 

INITIALLY  msg_queue  = VECTOR  ()? 

VFUN  h_host_s 1 gna l_pendlng ( procul d?  devno)  ->  b? 

Sfreturns  true  if  signal  pending  for  host) 

HIODEN? 

INITIALLY  b = FALSE? 

VFUN  host_output_message_pendlng (devno) tprocuidl  - 
J (externa  I form  of  h_host_msg  output  pendlnq) 

EXCEPTIONS  ~ 

inval i d_devno( procul d*  devno)? 

DERIVATION  h_hos t_ms g_ou t pu  t_p ending (procul d » 


> b? 


devno)  ? 


devno)  ->  offset? 
message  from  host) 


devno)  ->  length? 
message  from  host) 
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VFUN  host_ lnput_message_pendl  ngC  devno)  I proculd]  - 
$ (external  form  of  h host_msg_lnput  pending) 
EXCEPTIONS 

Inval 1 d_devno ( procul d»  devno); 

DERIVATION  h_hos t_ms g_input _pendin g ( proculd, 

VFUN  host_input_message_l ength(devno) [proculd]  -> 
J (external  form  of  h_host_ms g_input_ 1 en gth) 
EXCEPTIONS 

Inva 1 1 d_devno ( procul d,  devno); 

no_message_ready ( proculd*  devno) * 
DERIVATION  h_hos t_ms g_lnput_length(proculd. 


ENO_MODULE 


> b? 

devno) ? 
I ength; 

devno)  ; 
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ABSTRACT 


Tms  document  describes  tne  spec  i f icat  i on  language  SPECIAL*  which 
is  a tool  developed  for  the  design  of  large  software  systems.  The 
language  is  based  on  a methodology  using  the  concept  of  a hierarchy  of 
modules*  and  provides  a convenient  facility  for  the  description  of  the 
properties  of  sue n modules.  The  syntax  of  the  language  is  described*  as 
well  as  tne  semantic  notions  related  to  »ts  various  constructs. 
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1.  INTRODUCTION 


The  design  and  proof  of  I ar je  software  systems  can  be 
facilitated  by  their  decomposition  into  modules*  as  suggested  by 
Parnas  (Par  72  a*  b) . A design  methodology  based  on  this  idea  has 
been  developed  at  SRI  (Neu  741  Rob  75  a*  b)*  and  applied  to  the 
construction  of  several  large  systems*  including  a secure  operating 
system  (Neu  75).  A significant  aspect  of  this  work  is  The  design  of 
SPECIAL*  a S.Pt£If  icat  i on  and  Assertion  Language*  which  is  described 
ne  r e . 

The  reader  xs  assumed  to  be  already  familiar  with  the 
methodology  itself.  The  concepts  underlying  the  construction  of  the 
language  are  not  emphasized  here  and  will  be  The  subject  of  a 
forthcoming  document. 

Tnis  manual  is  chiefly  concerned  with  the  syntax  of  the 
language  and  the  associated  semantic  rules.  A general  presentation 
of  the  language  and  the  objects  it  manipulates  is  first  given.  The 
“par  a graphs'*  that  may  appear  in  a module  specification  are  then 
described.  The  part  of  the  language  concerned  with  algebraic  and 
arithmetic  expressions  is  described  in  Section  10.  Further  sections 
contain  the  precedence  rjles  for  binary  operators  and  the  rules  for 
referencing  3n  object  (scope  rules). 

SPECIAL  has  evolved  through  several  forms.  The  present 
edition  of  this  manual  corresponds  to  the  second  version  of  the 
language. 


2.  GENERAL  PRESENT  A T 1 3 N OF  THE  LANGUAGE 


The  macroscopic  unit  expressed  in  SPECIAL  is  the 
soec i f i cat i on  of  a module  or  of  a set  of  mapp ing- f u net i on 
expressions.  The  first  word  of  a specification*  MODULE  (l)  in  the 
former  case*  or  MAP  in  the  latter*  provides  the  necessary 
di  s t inc  1 1 on  . 

We  art  chiefly  concerned  with  module  specifications*  because 
specifications  of  mappi  ng- f unc  t i on  expressions  use  only  a subset  of 
the  syntax  available  for  module  soeci f icat  ions . 


(l)  In  the  rest  of  this  document*  a word  written  in  upper  case  refers 
to  a SPECIAL  reservea  word. 
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A .nodule  specification  consists  of  a sequence  of  paragraphs 
appearing  Detween  the  header 

module  <symbol> 

and  the  Keyword  END.MDDULE.  The  paragraphs  are  entitled  TYPES, 
DECLARATIONS,  PARAMETERS,  DEFINITIONS,  EXTERNALREFS  and  FUNCTIONS  (or 
MAPPINGS,  for  mapping  function  spec  i f ica t i ons ) and  must  appear  n 
that  order.  A paragraph  starts  with  a keyword  (e.g.,  TYPES)  and  ends 
at  tne  beginning  of  the  next  paragraph  or  at  the  end  of  the  module. 
If  a paragraph  is  empty,  it  must  oe  omitted?  i.e.,  two  paragraph 
titles  may  not  follow  each  otner • 

Thus,  the  general  outline  of  a module  is  something  like 

MODULE  <symbol>  (2) 

DECLARATIONS 


PARAMETERS 


DEFINITIONS 


EXTERNALREFS 


FUNCTIONS 


END_MODULE 


Tne  part  of  the  language  tnat  deals  with  the  oblects  0 | a 
module  specification  is  known  as  the  iiiSQ  l&ii fi-i » "e  describe 

1 3 1 gp  a more  microscopic  level  known  as  the  d-iSfi.C.l-1-ilQ-  lfiY-Si.- 


(?)  Names  appearing  within  angle  Drackets  correspond  to  non-terminals 
of  the  grammar  (see  Appendix  A)?  <symbol>  is  a particular  non- 
terminal referring  to  any  identifier  that  is  not  a reserved  word, 
what  is  a legal  identifier  is  described  in  Section  17. 
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3.  THE  OBJECTS  USED  IN  THE  LANGUAGE 


The  specification  language  manipulates  several  Kinds  of 
objects*  all  of  which  are  "typed". 

3.i.  I*Qkk_aad_Imd_a£l.jii.LLaas. 

Eacn  ob ) ec t manipulated  by  tne  language  is  associated  with  a 
type.  For  the  descriptive  purpose  of  this  manual*  It  is  sufficient 
to  consider  a type  as  a set  of  possible  values. (3)  An  important 
aspect  of  the  language  is  the  description  of  the  constraints  imposed 
oy  types  on  arbitrary  expressions.  These  constraints  are  the  t vpe 
C.Ji-k-5  of  tne  language*  tney  describe  how  operands  of  various  types 
csn  be  combined  with  particular  operators  to  form  an  expression*  and 
wnat  type  this  expression  will  have. 

The  syntactic  representat i on  of  a type  is  a t yoe 
iakdi.li.Caii.OQ,  which  is  a description  of  the  properties  of  a type  as 
a whole?  type  specifications  are  described  in  Section  5.3. 

We  distinguish  various  categories  of  types  and  describe  them 

oe  I owi 


EdS.dg.ii.Qgd  iy.Qes2  Tne  predefine!  types  of  the  language  are 
300  LEAN , CHAR*  INTEGER,  and  REAL. 

ilSi^Qaiar  i;££££S  Designator  types  form  a class  of  oojects-- 
des i gnat ors--tnat  are  tokens  for  objects  manipulated  by  the  system 
being  specified.  Such  objects  may  not  oe  used  as  freely  as*  let  us 
say*  a number.  All  the  objects  with  tne  same  designator  type  are 
13Li.Qlii.DSd  by  a particular  module  and  can  be  created  only  by 
functions  of  this  module  (generally  using  the  primitive  NEW--see 
Section  11.15.1. 

Sddiar  LfcdkS.2  Scalar  types  are  types  explicitly  defined  as 
sets  of  constants  such  that  any  two  of  them  are  disjoint  (see  the 
comments  in  Section  5.4.),  t.g., 

direction  : C left,  right  J? 

which  defines  "direction"  as  oeing  a type*  elements  of  whicn  can  have 
only  ont  of  the  values  "left"  or  "right";  those  two  symbols  are 
implicitly  declared  as  constants  of  tne  type  "direction"  by  tne  type 
declaration.  Note  that  such  types  are  not  ordered  sets*  and  that 
only  two  operations  are  permitted  on  them!  = and  ~=.  Objects  of  a 


(3)  The  term  possible  values  should  be  distinguished  from  meaningful 
values,  wn ich  are  the  values  for  which  a particular  assertion  is 
true.  In  particular,  the  range  of  a function  is  a subset  of  the 
t ype  of  its  result. 
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scalar  tyoe  also  correspond  to  existing  objects  of  the  system  but  are 
not  mai ptai ned  by  a particular  module* 

C.2QS.lCU£istd  IdCCiS*  The  language  contains  two  gQdry.  type 
constructors,  SET_OF  and  VECT0R_UF,  used  to  define  sets  and  vectors 
of  objects  of  some  given  type,  and  two  Q-ary  type  constructors, 
3SE_0F  and  STRUCT,  used  to  define  UQitfi.il  i¥fi£S  and  S.tQUC.tUC. fi.il  l¥.ttfi.S» 
respectively*  Since  we  view  a type  as  a set  of  possible  values, 
0SE_0F  corresponds  to  the  union  operator  on  sets,  and  STRUCT 
corresponds  to  the  Cartesian  product.  Note  that  type  constructors 
aoply  to  types,  not  to  elements!  in  particular,  a set  type  defined  as 
"SET_OF  t”  is  a type  that  represents  a set  of  sets?  i.e.,  each 
element  of  this  type  is  a set  of  values  of  type  t. 

types i The  notion  of  subtype  corresponds  to  that  of 
subset!  the  language  provides  the  possibility  of  defining  a type  as 
an  explicit  set  of  constants  of  some  existing  type  or  as  the  set  of 
the  elements  in  a particular  type  that  satisfy  some  property.  The 
par t icu  lari ty  of  these  types  is  that,  for  the  purpose  of  type 
checking,  they  define  only  oojects  of  t ne  principal  type,  since  it 
would  require  at  least  a theorem  prover  to  verify  the  closure  of  a 
SJbtype  under  all  the  operations  defined  on  the  principal  type. 

The  term  primitive  LfcPfi  refers  to  types  that  are  sets  of 
primitive  values,  one  anotner  disjoint?  they  are  the  predefined, 
designator,  and  scalar  types.  We  can  now  define  a i)Lfi£  as  being  a 
primitive  type,  a subtype,  or  the  result  of  the  appiicati on  of  some 
of  the  type-constructors  to  a certain  number  of  types. 

3.2.  QfilafilS 

There  is  a distinction  between  the  objects  manipulated  by  a 
module  and  those  manipulated  by  the  specification  language,  the 
former  being  a subset  of  the  latter.  The  objects  of  a module  are 
functions  and  parameters  (designator  and  scalar  types,  although  being 
families  of  objects  rather  than  objects,  are  sometimes  referred  to  as 
oojects  of  the  module,  principally  because  they  can  be  referenced  in 
other  modules).  In  addition,  the  language  deals  with  so-called 
definitions,  formal  and  result  arguments,  and  locally  bound 
variables.  Each  object  has  a name,  a syntactic  class,  a scope,  and  a 
type.  The  syntactic  class  is  either  simple  or  functional?  a simple 
object  can  be  referenced  by  a single  identifier  (its  name),  whereas  a 
functional  object  is  referenced  oy  an  identifier  followed  oy  a list 
of  "actual  parameters"  which  are  expressions  of  the  language.  The 
scope  of  an  object  is  the  part  of  a module  specification  where  an 
object  can  oe  referenced  after  having  been  declared  (the  concept  of 
declaration  is  described  in  tne  following  section)?  for  instance,  the 
objects  of  a module  (functions  and  parameters)  have  the  entire  module 
specification  as  their  scope. 

3.2.1.  FgQ.fi.ii.fiQS. 

A function  is  an  object  of  tne  module  itself.  Its  syntactic 
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class  is  always  functional*  and*  in  addition*  a function  nas  to 
oelong  to  one  of  three  categories.  A category  is  either  VFUN,  OFUN, 
o-  OVFUN*  corresponding  to  the  V-»  0-,  or  OV-functlons  of  the 
Us  t h odo logy.  Functions  are  either  described  in  the  module  itself  or 
referred  to  as  external  by  appearing  in  the  EXTERNALREFS  oaragraph. 
A function  has  a (possibly  empty)  argument  list?  every  time  the 
function  is  referenced*  it  must  be  followed  by  a list  of  expressions* 
tne  elements  of  which  are  in  one-to-one  correspondence  with  the 
formal  arguments*  the  type  of  the  elements  being  the  same  for  each 
pair.  In  the  case  of  a V-  or  OV- f unc t i on,  the  function  also  has  a 
“result  argument**  of  a certain  type.  We  sometimes  mention  the  type 
of  a function*  thereoy  meaning  the  type  of  its  result  argument. 

3.2.2.  Eic amfeifir ^ 

The  parameters  of  a module  are  objects  that  receive  a value 
at  module  i ni t ia 1 izat i on  and  cannot  change  thereafter.  They  can  be 
either  Simple  or  functional  objects*  according  to  whether  the  value 
they  receive  is  a simple  value  or  a function  (in  the  mathematical 
sense).  They  represent  objects  that  are  fixed  in  one  particular 
module  instantiation,  but  can  be  different  in  different 
instantiations.  As  already  mentioned,  parameters  are  ob|ects  of  a 
■nodule,  and,  as  such,  their  scope  is  the  entire  module  specification. 

3.2.3.  Qe.Ii.Qlil.aas 

A definition  is  a named  object  that  can  be  textually  replaced 
oy  a particular  expression*  it  corresponds  to  what  is  generally  Known 
as  a macro.  Definitions  can  oe  either  simple  or  functional*  and  they 
can  be  declared  either  in  the  DEFINITIONS  paragraph*  in  which  case 
their  scope  is  the  whole  module  specification,  or  in  the  DEFINITIONS 
section  of  a function,  in  the  case  of  local  definitions  wnose  scope 
is  the  function  specification. 

Definitions  differ  from  the  general  concept  of  macros  in  that 
tne  expression  that  is  tne  body  of  the  definition  must  be  a valid 
expression  when  it  is  declared  and  not  Just  when  it  is  used  (the 
rjles  pertaining  to  the  use  of  definitions  guarantee  the  latter 
condition  if  the  former  one  is  satisfied).  Tnis  precludes  the  use  of 
free  variables  inside  definitions.  One  of  the  reasons  for  this 
handling  of  definitions  is  that  it  generally  prevents  the  same  name 
from  standing  for  two  totally  different  meanings  depending  on  where 
it  is  used. 


3.2.4.  Fgcinal-Arguiiiaili 

Tnese  are  the  variables  appearing  in  the  argument  list  of  a 
function  specification.  They  may  be  used  freely  within  the  function 
sp ec i f i c at i on.  Formal  arguments  are  always  simple  objects  of  the 

I an  guage • 


3.2. 5 . S&s.ull-Acdmas.als. 
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A V or  OV-function  have  one  and  only  one  result 

argument,  a simple  object  that  may  be  used  in  the  function 
soeci f i cat i on  to  refer  to  the  value  returned  oy  that  function. 


3.2.6. 

Locally  bound  variables  are  objects  whose  binding  remains  in 
effect  only  within  particular  expressions,  such  as 
expressions  (see  FORALL  and  EXlSTS--Section  11.10.)  or  set  and 
vector  constructors  (see  Sections  11.7.  and  H.8.).  Another 
important  use  of  such  variables  is  in  the  so-called  L E T - expre s si ons 

(see  Section  11.13). 


4.  BINDING  AND  THE  CONCEPT  OF  DECLARATION 


An  object  of  the  language  is  a rather  abstract  entity;  to  be 
manipulated  with  a minimal  degree  of  convenience,  an  object  must  be 
associated  with  a name.  Note  that  it  does  not  make  any  difference, 
as  far  as  the  properties  of  a function  are  concerned,  whether  its 
first  argument  is  named  “a**  or  "z",  provided  that  the  chosen  name  is 
used  consistently.  In  addition,  an  object  must  have  a type  and 
always  has  a "scope".  We  are  thus  confronted  with  the  proo  I em  ot 
associating  a name  with  a particular  object  (e.g.,  argument),  and 
also  of  associating  an  object  with  a particular  type.  What  one 

actually  does  is  to  associate  a name  with  a type,  and  a name  with  an 
Object,  which  thus  receives  the  type  associated  with  the  name. 

4.1.  £imai£_and_HuiLlelk_d&£lacaLlQak 

Tne  association  of  a name  witn  a type  is  performed  by  a 
particular  construct  of  the  language  known  as  a £l££.laC:aii.2Q.  A 
simple  declaration  has  tne  form* 

<simple  d ec I ar ation>  ::=  <type  speci f icat ion>  <symbol> 

(the  syntax  for  a type  specification  is  described  in  the  next 
section).  An  extrapolation  of  this  construct,  referred  to  as  a 
multiple  declaration,  can  be  used  to  associate  several  names  with  the 
same  type  specification,  using  the  syntax* 

< mu  1 1 1 o I e declaration*  **=  <simple  declaration* 

I <multiple  dec  I arat i on*  *,*  <symbol* 


Generally,  the  association  between  a name  and  a particular 
object  (the  “binding")  is  performed  implicitly  by  the  place  where  the 
declaration  of  the  name  appears?  for  example* 
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VFUN  f 1 { INTEGER  i ) ->  BOOLEAN  b? 
means  that: 

* The  name  i is  associated  with  the  type  INTEGER*  and  Is  bound  to 
be  the  first  (formal)  argument  of  fl. 

* Similarly,  the  name  b is  associated  with  the  type  BOOLEAN  and 
designates  the  result  argument  of  fl. 

* Lastly,  fl  itself  is  decl ared  as  a V-function  of  the  type 
( INTEGER  ->  BOOLEAN) . 

• 2 • ki2kAl_Qg.£l-£C£tiflQi_2asL_L0£LC_!iS.£ 

It  is  often  the  case  in  specifications  that  declarations  are 
an  important  portion  of  tne  whole  specification  and  t ha t type 
specifications  themselves  can  be  quite  complicated.  With  this  in 
mind,  SPECIAL  provides  the  possioility  of  separating  declarations  and 
b.ndings  (sometimes  called  the  "deferred  binding"  facility),  in  the 
case  of  formal  and  result  arguments  and  locally  bound  variables. 
T h i s separation  is  achieved  by  declaring  a name  (i.e.,  associating  it 
with  a type)  in  a global  DECLARATIONS  paragraph  (see  Section  6)*  and 
performing  the  binding  by  letting  the  name  alone  appear  where  a 
declaration  was  expected.  The  rules  for  using  deferred  binding  are 
described  oe I owl 

When  a declaration  is  expected,  two  cases  are  possible.  If 
there  is  indeed  a declaration,  the  name  is  associated  with  the  type 
appearing  in  the  declaration  and  is  pound  to  the  relevant  ob|ect,  as 
determined  by  the  lexical  position  of  the  declaration?  if  the  name 
has  already  appeared  in  a global  declaration,  the  new  local 
declaration  supersedes  the  global  one  for  the  scope  of  the  object. 
On  the  other  hand,  it  a single  name  appears  instead  of  the 
declaration,  the  name  designates  the  corresponding  object,  the  latter 
oeing  associated  with  the  type  appearing  in  the  global  declaration  of 
the  name.  It  is  obviously  an  error  to  use  a single  name  instead  of  a 
declaration  if  tne  name  has  not  appeared  in  the  DECLARATIONS 
oara  graph. 


RfiJ.flC.bf  In  the  case  of  formal  arguments  to  definitions  and 
functions,  the  language  allows  a list  of  njul  tiol  e declarations 
separated  py  •?*.  However,  if  globally  declared  names  are  used 
instead  of  dec  I arat ions , each  name  must  oe  followed  by  a •?*,  and  not 
by  a •,*?  in  other  words,  an  argument  list  of  the  form 

( INTEGER  i , | ? BOOLEAN  b ) 

should  be  written,  if  i,  J,  and  b had  been  declared  globally 


( i ? J ? d ) 
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5.  TYPES 


Tne  TYPES  paragraph  has  two  purposes:  it  allows  the  user  to 
introduce  the  c|e§i  gnutor $ of  the  module  and  to  associate  names  with 
type  specifications  (thus  providing  a macro-like  facility  for  types). 
Tne  names  defined  in  the  TYPES  paragraoh  as  particular  type 
soec i ficati ons  are  referred  to  as  "named  types". 

5.1.  fifiS-ianaLacs. 

A user-defined  type,  or  designator,  corresponds  to  a class  of 
oojects  that  are  tokens  for  aostract  objects  implemented  in  the 
software  system  being  specified.  It  must  have  a name,  introduced  by 
a declaration  of  the  form! 

<symDol>  : DESIGNATOR? 

The  name  introduced  in  this  declaration  will  thereafter  be  a 
primitive  type  of  its  own. 

5.2. 

A type*  as  defined  in  Section  3.1,,  may  involve  an  arbitrary 
umber  of  type  constructors,  leading  to  a complex  type  specification. 
Such  a type  expression  can  be  named  in  a statement  like 

<type  name>  1 <type  soe c i f i ca t ion > ; 

<type  name>  is  a new  identifier  that  can  textual ly  replace  the  type 
soeci fication  appearing  on  the  right-nand  side  of  the  equal  sign. 

5.3. 

A type  specification  is  the  syntactic  represent  at i on  of  a 

type. 


* A predefined  type,  a designator  or  a named  type  is  represented 
by  a symbo I . 

* A scalar  type  has  a specification  of  the  form: 

<scalar  type>  ::=  * C ' <symbol>  €*,*  <symbol>J*  *>*  (4) 


* A subtype  has  the  syntax  of  a set-expression  (see  Section  11.7) 

* A structured  type  is  defined  as: 


(4)  The  syntax  descriptions  used  in  this  manual  follow  the  extended 
8NF  conventions  descried  in  Appendix  A 
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structured  type>  ::  = STRUCT  •<•  C<dec  I arat  i on>  •?*>♦  *)* 

where  < dec  I arat i on>  is 

< dec  I arat ion>  ::  = <simple  dec  I arat ion> 

I <multiple  declaration> 

Each  declaration  introduces  a name  that  is  associated  with  a 
particular  component  of  a structure*  a "field", 

* A united  type  specification  is: 

<unAted  type>  »:=  ONE_OF  *(*  <tyoe  spec i f ica t i on» 

C’,*  <type  specification^*  *)* 


A united  type  is  a peculiar  concept:  Re  defined  have  earlier 
(Section  3.1.)  a primitive  type  as  a set  of  simple  values 
disjoint  from  all  tne  other  primitive  types  (in  particular,  for 
a purist,  the  predefined  types  should  Include  INTEGER  and 
"N0N_1NTEGER_REAL",  with  REAL  being  defined  as 

0NE_0F ( INTEGER, NON_I NTEGER_REAL I) . A united  type  which  is  the 
union  of  some  primitive  types  is  also  a set  of  simple  values 
but  is  not  necessarily  disjoint  from  tne  primitive  types.  In 
addition,  the  operations  defined  on  the  component  types  are  not 
defined  on  the  united  type,  with  the  exception  of  *=*  and  •"=* 
which  are  defined  on  any  type.  The  use  of  objects  of  united 
types  must  abide  by  certain  rules,  described  later  in  this 
document  (see  in  particular  TYPECASE — Section  11.12,  and 

coercion  rul es--Sect ion  14). 

* Sets  and  Vectors:  These  are  constructed  types  specified  by 

statements  of  the  form: 

<constructed  type>  ::=  CSET_0F  I VECTOR_OFJ  <type  spe c i f ica t ion> 


The  TYPES  paragraph  contains  an  arbitrary  number  of  type 
declarations  and  might  look  like: 

TYPES 

capability,  uri  i que_i  den  t i f i er  : DESIGNATOR? 
machine_word  : 0NE_0F ( I NTEGER , capability)? 
occtss.r i }hts  ! VECT0R_0F  BOOLEAN? 

the  syntax  being: 

cfypes  paragraph>  ::=  TYPES  C<tyoe  declaration>  * ? * > + 

<type  declaration  ::  = <symbol>  C *,*  <symbol>>* 

<type  spec i f icat i on> 


Page  9 


SPECIAL  Reference  Manual 


August  13»  1976 


5.4.  4ddiixflDai_C.fiiiiae.Qii 

Tne  following  remarks  concern  the  use  of  scalar  types  and 
subtypes?  those  may  not  appear  explicitly  except  when  used  to  define 
a named  type.  wnich  means  that  any  type  specification  having  the 
syntax  of  a set  expression  may  appear  only  inside  the  TYPES  paragraph 
or  tne  EXTERNALREFS  paragraph,  and  within  these  paragraphs,  may  not 
be  embedded  in  another  type  specification.  In  addition,  some  special 
rjles  apply  to  the  use  of  scalar  types,  since  some  problems  might 
arise  in  cases  like* 

TYPES 

tr a f f ic_l ight  I t green  , yellow  , red  >; 

color  : C red  , yellow  , green  , cyan  , blue  , magenta  >? 

Here,  we  have  first  to  consider  "green",  “yellow”,  and  “red”  as  three 
constants  of  type  "tra f f ic_l i ght".  Tnen,  when  seeing  the  second 
declaration,  we  must  realize  that  "green",  "yellow  , and  red  are  in 
fact  constants  of  the  type  "col  or"  an  J tnat  traffic_light  is  a 
subtype  of  "color”. 

Thus,  tne  definition  of  a scalar  type  is  the  following!  A 
scalar  type  specification  is  a set  of  literal  constants  such  that 
either  none  of  them  is  ever  jsed  in  any  other  type  specification  in 
tne  text,  or  some  of  them  are  used  to  define  a subtype  of  the  scalar 
type,  i.e.,  they  appear  in  a subset  of  the  set_e xpress i on  defining 
tne  sea  lar  t ype . 

This  definition  precludes,  in  particular,  the  following 
pathological  easel  Assume  that  "color"  is  defined  as  above,  but  the 
user  wishes  to  introduce  a more  sophisticated  traffic  light,  to  cope 
With  a particularly  dangerous  intersection,  as! 

tra f f ic_l ight t C green  , yellow  , red  , left_arrow  ) 

tnus  creating  the  problem  of  defining  tne  type  of  each  of  the 
constants,  since  "traf f ic_l  ight"  can  no  longer  be  considered  a 
subtype  of  "color".  Is  "green"  of  type  "color"  or  of  type 
"traf fic_l ight",  or  is  it  "0NE_3F(  color,  tra f f ic_l i ght >"?  Rather 
tnan  defining  complicated  rules  to  solve  this  problem,  we  prefer  to 
forbid  the  intermixing  of  constants  of  different  types  (the  problem 
raised  here  can  be  solved  by  defining  a scalar  type  that  is  a 
superset  of  both  "color"  and  "traf f i c _ I i ght") . 

Some  further  thought  should  also  be  given  to  the  concept  of 
structured  types.  One  has  to  realize  that  these  types  allow  the 
manipulation  of  tuples  of  heterogeneous  oojects,  but  that  their 
purpose  is  not  to  define  complex  data  structures  such  as  trees,  as  is 
ordinarily  done  in  modern  programming  languages  (e.g.,  Pascal).  It 
is  in  fact  one  of  the  goals  of  tne  methodology,  of  whicn  SPECIAL  is 
only  a part*  to  allow  the  modules  themselves  to  support  the 
specification  of  complex  data  structures,  and  there  is  no  reason  for 
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tnos-i  to  oe  provided  directly  by  the  language*  Therefore* 
recursively  defined  structured  types  are  not  allowed* 


6.  DECLARATIONS 


The  DECLARATIONS  paragraph  contains  declarations  (l*e** 
name/type  associations)  for  names  the  binding  of  which  is  deferred* 
as  described  in  Section  4*  If  the  user  does  not  wish  to  use  the 
deferred  binding  facility,  the  DECLARATIONS  paragraph  can  be  omitted* 

A declaration  associates  a name  with  a type  and  stays  in 
effect  within  the  entire  module. 

The  syntax  tor  the  DECLARATIONS  paragraph  is* 

<dec I arat ions>  ::  = DECLARATIONS  C<dec I arat ion>  • ; • >♦ 

with 

<dec  I arat  ion>  <tyoe  sped  f ic  it  ion> 

<symool>  £**•  <symbol>>* 


Examp  I e : 

DECLARATIONS 
BOOLEAN  b? 

INTEGER  i,j; 
capaoi I i t y c*  cl ; 
SET_OF  capability  sc* 


7.  PARAMETERS 


Starting  with  the  keyword  PARAMETERS*  this  paragraph  contains 
declarations  for  all  tne  module  parameters  (see  Sectipn  3*2*2)* 
Since  parameters  of  the  module  can  optionally  have  arguments*  the 
syntax  for  parameter  declarations  is  similar  to  the  syntax  for  global 
declarations*  with  the  option  of  appending  a formal  argument  list 
after  each  symbol: 
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<parameter  dec  I ara 1 1 on>  ::  = <typa  spec i f leaf ion>  <symbol> 

I <f ormal args> 1 

C*»*  <sy«bol >[<f ermal args>l >*  *»* 

< formal ar  gs>  ::=  * ( * T <dec I arat ion>  C*?*  <dec I arat ion> } * 1 ’ > * 


8.  DEFINITIONS 


Definitions  are  syntactic  shorthands  for  arbitrary 
expressions.  They  are  defined  in  the  DEFINITIONS  paragraph?  that  Is. 
the  name  of  a definition  is  associated  with  the  expression  for  which 
it  stands  by  a declaration  of  the  form: 

<definition>  ::=  < typespeci f icat ion>  <symbol > I < f ormal a rgs > 1 

IS  <e  xpressi on > * ? * 


The  type  specification  must  correspond  to  the  type  of  the 
expression.  this  redundancy  being  considered  beneficial  to  the 
clarity  of  specifications.  Toe  expression  appearing  in  the 
definition  may  reference  only  the  formal  arguments,  if  any.  and  the 
objects  that  are  bound  globally,  i.e..  parameters,  global  definitions 

and  functions. 

The  list  of  formal  arguments  may  be  omitted,  or  may  be 
present  but  empty?  there  is  a difference  in  tnat  a definition  with  an 
empty  argument  list  must  be  referenced  as  a functional  expression 
throughout  the  specification  (e.g..  ”foo()M)»  whereas  a definition 
with  no  argument  list  must  be  referenced  as  a sample  term  (e.g.. 
"fie").  There  is  no  semantic  difference  between  these  two  cases,  the 
only  difference  being  purely  syntactic. 


9.  EXTERNALREFS 


Although  the  decomposition  of  a software  system  into  modules 
is  intended  to  abolish  the  intermodule  assumptions  at  the 
specification  level.  this  is  not  always  possible.  A mecnanism  for 
referring  to  the  functions.  parameters,  and  designator  or  scalar 
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types  of  other  modules  is  therefore  needed  in  order  to  describe  these 
intermodule  assumptions.  This  is  the  purpose  of  the  EXTERNALREFS 
para  graph. 

The  paragraph  itself  is  divided  into  as  many  groups  as  there 
are  references  to  different  modules.  Each  group  starts  with  the 
he  ader i 

FROM  <symbol>  : 

wnere  <symbol>  is  the  name  of  an  external  module*  and  the  group 
contains  a list  of  declarations  and/or  function  headers. 

A declaration  has  the  regular  declaration  syntax*  as  in 
section  b»  or  the  syntax  of  a designator  or  scalar  type  declaration* 
as  described  in  Section  5. 

A function  header  is 

C VFUN  I OFUN  I OVFUN  > <symbol>  <formalargs> 

I •£*  <dec  I arat  ion>  C*?*  < dec  I arat  i on»  J*  *1*  J 
[ •->•  <dec 1 arati on>  ] * I* 

If  the  first  term  is  VFUN  or  OVFUN,  then  the  result  part  (i.e«*  *->* 
<dec  laratior.>)  should  be  present*  and  not  for  OFUN. 

As  will  be  shown,  this  syntax  is  also  used  to  begin  internal 
function  specifications. 

Lxa  mpi e : 

EXTERNALREFS 

FROM  capao  i 1 i t i es  I 

capability,  un i que_iden t i f i er * DESIGNATOR? 

access_type»  C read  , write  * execute  * modify  , append  >? 
OVFUN  create_caoab i I i t y ( I ->  c? 

OVFUN  res tr ic t_acces ( c apabi I i ty  cl* 

VECTOR_OF  access_type  atv) 

->  capabi 1 ity  c ? 

VECTOR_OF  access_type  atv? 

VFUN  get_uid(c)  ->  uni que_i denti f ier  u? 

FROM  segments! 

OVFUN  create_segment ( INTEGER  i* 

VECT0R_0F  capability  slv) 

->  capao i I i ty  s ? 

VFUN  h_seg_ex ists < unique_identi f ier  u)  ->  BOOLEAN  o? 

INTEGER  maxsegs? 
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10.  FUNCTIONS 


The  FUNCTIONS  paragraph  contains  the  specifications  for  all 
toe  functions  of  The  module  and  is  therefore  its  most  important  part. 

Tne  methodology  deals  with  OFUN,  OVFUN,  and  VFUN  which  all 
have  their  part icul ar i ti es , although  also  some  common  points. 

A function  definition  consists  of  a header,  possibly  a set  of 
local  macros  in  a DEFINITIONS  subsection,  and  other  subsections  which 
will  be  cnarac ter i zed  for  each  class  of  function. 

10.1.  I&£_EUQ£Liaa_d£La£tir 

Similar  to  that  described  in  Section  9,  it  looks  like 

£ VFUN  I OFUN  I OVFUN  > <symool>  <formalargs> 

[ •£•  <dec I ara t lon>  C*?*  <dec laration>>*  *]•  1 
[ •->•  <dec I arati on>  1 *?* 


As  in  definitions  or  external  references*  any  of  the  formal 
arguments*  as  well  as  the  result  argument,  may  have  been  declared  in 
tne  DECLARATIONS  paragraph  and  tnus  not  oe  preceded  by  a type 
soec  i ficati on. 

io.2.  ImaLi£i.i_A.c.ayaL£Qt  i 

The  optional  list  of  declarations  enclosed  within  square 
brackets  in  the  function  header  is  the  list  of  "implicit  arguments". 
An  implicit  argument  to  a function  is  an  argument  that  should  be 
provided  by  the  system,  and  not  by  the  user,  when  the  function  is 
called  (in  tne  actual  implementation).  In  terms  of  specifications, 
any  reference  to  a function  that  has  been  defined  with  implicit 
arguments  should  contain  as  many  actual  arguments  as  the  sum  of  the 
number  of  formal  and  implicit  arguments  appearing  in  the  function 
hj  ader. 


Example: 

A function  whose  header  is: 

VFUN  f ( INT EGER  i ) [ process.! d pi  ->  INTEGER  |? 
may  be  referenced  as  a function  of  two  arguments,  e.g., 
f (0  » Pi ) 
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10.3.  La££l_Q£.LA.o.i.iiaQk 

Hy  introducing  a section  with  exactly  the  same  syntax  as  the 
OKIINITIONS  oaragraon,  the  user  has  the  possibility  of  defining 
macros  fhat  are  Known  only  inside  one  function  specification.  Such 
definitions  have  the  advantage  of  being  able  to  reference  the 
arguments  of  the  function  that  have  only  a restricted  binding. 

10.4.  IHe._aaiiisitlifiQS_2L_a_y.riUQili.aQ 

The  two  remaining  sections  of  a V-function  describe  its 
formal  properties.  A V-function  may  be  visible  or  h i dden.  and-- 
independent  I y--d£Ci¥.fisi  or  primlt  ive. 

If  a V-function  As  visible,  it  may  be  referenced  in  programs 
outside  tne  module,  so  a list  of  exception  conditions  must  appear  in 
the  function  specification.  This  EXCEPTIONS  subsection  is  similar  to 
tne  one  appearing  in  3-  and  OV-function  specifications  and  is 
detailed  in  Section  10»5» 

On  the  other  hand,  a hidden  V-function  may  not  be  called 
outside  the  module  and  needs  no  EXCEPTIONS  subsection.  In  such  a 
case,  the  reserved  word  HIDDEN  appears  in  its  place. 

Tne  last  subsection  of  a V-function  specification  can  either 
define  the  initial  value  of  the  V-function  (for  primitive  V- 
functions)  or  explicitly  describe  the  functions  value  in  terms  of 
other  objects  of  the  module  (for  derived  V- f unc t i ons) • The  former 
case  is  described  through  an  assertion  of  the  form 

INITIALLY  <expression>  •?* 

where  <expression>  is  an  arbitrary  Boolean  expression.  In  the  latter 
case,  the  syntax  is 

DERIVATION  <expression> 

Here,  the  expression  must  have  tne  type  of  the  result  argument  of  the 
tunc  tior . 

SLfiOinifiQlS  * 

* The  set  of  all  primitive  V-functions  entirely  defines  the 
current  state  of  tie  machine  described  by  the  module.  The  set 
of  their  initial  values  thus  defines  the  initial  state  of  the 
modul e. 

* Derived  V-functions  are  often  used  to  restrict  or  to  package 
the  information  visible  outside  the  module. 

* Note  that  a V-function  that  is  both  hidden  and  derived  is  very 
similar  to  a global  definition. 

The  general  syntax  for  a V-function  specification  is  thus 
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VFUN  <symbol>  ( [<decl aration>  C*  , * <declarat ion>>*  1) 

->  <dec  1 arat  ion>  ' 

[DEFINITIONS  C <definition>  *?*  >+  1 

CHIDDEN  •;*  1 t EXCEPTIONS  C <expression>  *?*>  + IT 

CINITIALLY  1 DERIVATION}  <expression>  '?* 


As  opposed  to  V “ f unc  t i on  s , 0”  and  0V~ f unc t i ons  are  always 
visible(5)  and  consequently  may  have  an  EXCEPTIONS  subsection.  Since 
Doth  perform  some  operations  that  affect  the  state  of  the  module, 
tney  also  have  an  EFFECTS  subsection. 

10.5.1.  IHfi-EJCQELPIiafiS.-a^afiiiiaQ 

This  subsection  contains  a list  of  conditions  that,  if  any  is 
satisfied  (i.e.,  evaluates  to  TRUE  when  the  function  is  called), 
should  prevent  any  effect  from  taking  place  and/or  any  value  from 
being  returned.  If  an  exception  condition  is  raised,  control  is 
returned  to  the  calling  program  with  "appropriate**  notification  to 
tne  caller.  Exactly  how  this  notification  is  made  depends  on  the 
conventions  of  tne  programming  language?  we  mention  here  only  the 
constraints  imposed  oy  tne  specification  language. 

An  exception  condition  is  a Boolean  expression?  the  order  in 
whicn  the  conditions  are  listed  is  important!  The  meaning  of  the 
EXCEPTIONS  subsection  is  that  each  condition  should  be  checked  in 
LiiC.Q,  and  only  if  all  the  conditions  are  false  should  the  effects 

take  place  and/or  tne  value  be  returned.  The  calling  program  may 

depend  on  the  order  in  wnich  the  exception  conditions  are  checked. 
For  example,  a reasonable  EXCEPTIONS  subsection  might  be* 

EXCEPTIONS 

h_i nterrup t_se t ( i 1 = FALSE? 

n_i nt_handl er_of f se t ( i 1 = ?? 

(where  the  two  functional  expressions  are  likely  to  be  V-function 
references),  which  might  mean  that  i does  not  refer  to  any  interrupt 
in  the  first  exception  and  that,  if  it  indeed  does,  no  interrupt 
handler  exists  for  it  in  the  second  exception?  this  illustrates  that 
tne  second  exception  mignt  be  meaningless  had  not  the  first  one  been 
checked  before. 

There  is  also  a particular  construct  intended  to  oe  applied 
only  in  tne  EXCEPTIONS  suosection* 

EXCEPT  1 0NS_0F  <call>  *?* 

wnere  <call>  should  be  a reference  to  an  external  function.  The 


(5)  Probably  the  only  Justification  for  this  fact  is  that  the  need 
for  hidden  0 or  OV-functions  has  not  yet  been  felt. 
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Interprefdf  ton  of  this  construct  is  that  for  each  exception  condition 
of  the  external  function*  there  exists  a logically  equivalent 
exception  condition  in  tne  current  function.  The  order  in  which  the 
exceptions  appear  in  the  external  function  is  preserved*  and  the 
corresponding  conditions  are  to  be  checked  after  all  those  that 
precede  the  MEXCEPTI0NS_3F"  expression. 

The  syntax  for  the  EXCEPTIONS  subsection  can  oe  descrioed  as 

<exceptions>  :t  = EXCEPTIONS  C <expression>  *?' 

I E XCE  P TI ONS_OF  <ca I I > *J*  > + 


Note  that  this  expression  forces  at  least  one  expression  to 
occur  in  the  EXCEPTIONS  subsection?  if  the  function  has  no 
exception*  the  whole  subsection  should  be  omitted. 

10.5.2.  lo.si_£LLL£Ii_iu!2ae.c.li.aa 

The  EFFECTS  subsection  contains  a list  of  assertions  that  are 
Boo  I ean  expressions  and  have  the  following  meaning*  If  the  function 
is  referenced  and  no  exception  is  detected*  then*  after  the  function 
call*  the  cont uncli op  of  all  the  assertions  appearing  in  tne  EFFECTS 
subsection  may  be  assumed  to  be  TRUE. 

If  the  EFFECTS  subsection  of  function  f contains  the 
assertions  ai*  a2».»»»an»  l.e.*  looks  like 

EFFECTS  al?  a2?...?  an? 

and  the  EXCEPTIONS  subsection  refers  to  el,...*em  (l.e.*  EXCEPTIONS 

el?  e2?...?em?  ) then*  using  Hoare's  notation,  a reference  to  the 

function  f has  The  meaning 

NOT  (el  OR  e 2 OR. ..OR  em)  CO  al  ANO  a2  AND. ..AND  an 


Note  that*  in  the  EFFECTS  subsection*  the  order  of  the 
assertions  is  irrelevant. 

In  the  case  of  an  OV-function*  one  of  the  assertions  might 
state  the  equality  of  the  result  argument  with  some  expression*  thus 
defining  the  value  returned  oy  the  function,  but  this  is  not 
mandatory?  the  result  argument  should*  however,  appear  in  at  least 
one  of  the  effects*  in  order  not  to  oe  undefined. 

10.5.3.  Loa_a£kAY_aonaij.itaQi 

In  addition  to  the  EXCEPTIONS  and  EFFECTS  subsections*  an  0- 
or  0 V- f unct x on  may  contain  an  arbitrary  numoer  (although  generally 
only  one)  of  so-called  DELAY  expressions  which  have  the  syntax: 

DELAY  UNTIL  <expression>  *?* 
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where  <expression>  must  oe  8ooJean»  and  the  conjunction  of  all  the 
delay  conditions  can  be  taken  as  an  input  assertion  to  the  function? 
in  other  terms*  this  means  that  the  effects  will  not  take  place  until 
all  the  conditions  evaluate  to  TRUE. 

This  concludes  our  description  of  the  macroscopic  or 
specification  level  of  tne  language.  The  microscopic  (or  assertion) 
level  deals  with  the  kind  of  construct  we  have  been  so  far  referring 
to  as  <expression>  or  assertion.  with  the  distinction  that  an 
assertion  is  an  expression  of  type  BOOLEAN.  This  part  of  the 
language  is  described  next. 


11.  EXPRESSIONS 


The  assertion  language  has  a relatively  large  set  of  syntax 
rules  for  writing  concise  mathematical  expressions  to  describe 
conditions  related  to  a function  behavior.  In  certain  cases*  the 
semantics  associated  with  these  '•ules  may  require  a detailed 

description.  This  section  explores  the  different  constructs  used  in 
mathematical  expressions?  an  interesting  aspect  to  be  considered  is 
tne  set  of  type  rules  associated  with  each  operator. 

11.1. 

Tnese  are  the  simplest  kind  of  expression  (from  the  syntactic 
standpoint)?  an  atomic  expression  can  be  one  of  the  following! 

* Numeric  constant!  A numeric  constant  may  be  either  of  type 

INTEGER  (any  nonemoty  sequence  of  digits)*  or  of  type  REAL  (a 

string  of  digits  followed  by  a period  followed  oy  another 
string  of  digits  followed  by  tne  letter  E followed  by  an 
optionally  signed  string  of  digits*  where  either  the  integer 
part  or  the  fractional  part  may  be  omitted,  and  the  decimal 
point  or  the  exponent  may  also  oe  omitted — but  not  both). 

* Character  and  string  constant:  A constant  of  type  CHAR  is  a 

single*  printable  ASCII  character  enclosed  within  two  “ (back 

apostrophe).  A string  constant  has  tne  type  ”VECTOR_OF  CHAR” 
ana  consists  of  any  sequence  of  printable  ASCII  characters 
enclosed  within  two  ” (double-quote).  The  precise  rules 
concerning  character  and  string  constants  may  depend  on  the 
implementation  (see  Section  17). 

* Boolean  constant!  These  are  the  keywords  TRUE  and  FALSE. 

* Symbolic  constant:  Any  identifier  appearing  in  a scalar  type 
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dec  I arat i on  will  subsequently  oe  considered  a constant  of  that 
type.  In  addition*  the  two  symbols  UNDEFINED  and  ? are  two 
synonyms  which,  for>  each  type,  refer  to  a particular  value  of 
that  type,  different  from  any  other  value  (the  particular  type 
is  determined  by  the  context  where  they  appear).  It  is  a part 
of  the  verification  task  to  check  that  the  implementation  of 
ary  visible  V-  or  OV-function  can  never  return  the  value 
UNDEFINED. 

* Reference  to  an  oojectf  The  name  of  any  object  that  has  a 
binding  and  whose  syntactic  class  is  not  functional  is  an 
atomic  expression  whose  type  is  that  of  the  object.  Such 
references  can  be  to  parameters  or  definitions  when  they  have 
been  declared  without  arguments,  formal  arguments  of  functions 
and  definitions,  result  arguments  of  V-  and  0V- f unct i on s » and 
simple  variaoles  within  expressions  where  they  have  a binding 
(i.e.,  within  set  and  vector  constructors*  quantified 
expressions,  and  expressions  starting  with  LET  or  SOME). 

11.2.  iirliAQSit-LOQ_Sfiis.Cs.lc.fei 

A reference  to  a V-function  has  the  form 

(*]  <symbo1 > <actual  list> 

where  <actual  I i s t > is  defined  as 

*(*  I <expressioo>  C*»*  <expression>>*  1 ' 

and  is  used  as  such  in  the  rest  of  this  document.  It  corresponds  to 
tne  actual  arguments,  which  must  match  in  number  and  type  the  formal 
arguments  of  the  function  definition. 

<symool>  should  oe  the  name  of  a V-function  either  defined  in 
the  module  or  appearing  in  the  EXTERNALRtFS  paragraph. 

The  first  symbol,  ■ , is  optional.  Its  meaning,  within  the 

EFFECTS  part  of  a function  specification,  is  that  the  reference  is 
made  to  the  value  of  the  V-function  immediately  slilfir  all  the  effects 
of  the  0-  or  OV-function  being  specified  have  occurred?  if  it  is 
omitted,  the  reference  is  to  the  value  immediately  Qatar fi  the  call. 
Note  that  this  is  meaningful  only  in  the  EFFECTS  section,  since  in 
any  otner  place  there  is  no  distinction  between  before  and  allac.  and 
in  the  EXCEPTIONS  subsection,  a reference  is  always  made  QfilaLS  any 
effect  takes  place. (6) 


(6)  We  must  add  at  This  point  an  important  historic  note:  Until  now, 
all  The  module  specifications  derived  from  Parnas*  ideas  used 
quoted  expressions  to  refer  to  aid  values  of  V-functions. 
However,  this  notation  could  not  be  used  consistently  because  in 
the  same  function  specification,  unquoted  references  would  have 
two  different  meanings,  depending  whether  they  appeared  in  the 
exceptions  or  in  the  effects  of  the  function.  Permuting  the 
convention  takes  care  of  this  possible  confusion. 
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The  tyoe  of  a V-function  reference  is  the  type  of  the 
function  itself. 

11.3.  Sfel£Cfia£L£S._ta_LUQ£.LiaQa.l_aiiL£C.lS. 

we  deal  here  witn  parameters  and  definitions  introduced  with 
an  argument  list.  A reference  to  such  objects  has  a syntax  very 
Similar  to  that  of  a V-function  reference: 

<symbol>  <actual  I i s t > 

with,  for  definitions.  the  usual  meaning  of  a macro  expansion,  the 
type  being  that  of  the  macro.  and.  in  the  case  of  a parameter . that 
of  a mere  reference  to  its  value. 

11.4. 

A reference  to  an  0-  or  OV-function  is  made  by  the  use  of  the 
keyword  EFFECTS_0F 

LFFECTS-OF  <symbol > <actual  list> 


In  tne  case  of  0-functions.  this  expression  is  of  type 
Boolean?  its  value  is  UNDEFINED  if  some  exception  is  detected?  it  is 
FALSE  if  the  effects  of  the  0-function  that  is  referenced  are  never 
satisfiable.  A value  of  TRUE,  on  the  contrary,  means  that  all  the 
assertions  specified  in  the  EFFECTS  section  of  the  corresponding  0- 
function  hold. 

In  the  case  of  an  OV-function,  tne  type  of  the  expression  is 
that  of  the  result  argument  of  the  function,  and  the  expression 
itself  is  both  a reference  to  the  value  of  The  OV-function  and  an 
indication  that  all  its  effects  are  true  at  the  point  where  the 
EFFECTS OF  appears. 

The  next  sections  describe  tne  operators  used  in  the 

language.  They  are  classified  by  the  types  on  which  they  operate? 
tne  word  "mode"  appearing  in  a type  description  refers  to  a 
particular  type  which  does  not  have  to  be  specified.  The  discussion 
concerning  precedence  of  various  operators  is,  however,  deferred  to 
Section  12. 

11.5.  Bpol  ean-Valuel_Qae.c.alaris, 
n.5.1.  aioacy—Quatidtacs. 

A'iO  and  OR 

Syntax:  <exoression>  CAND  I OR)  <expression> 

Type:  BOOLEAN  X BOOLEAN  -->  BOOLEAN 

Meaning:  usual  conjunction  or  disjunction?  ’error*  if  one 
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of  the  operands  is  not  BooJean.(7) 


Syntaxt  expression^  =>  expression_2 
Types  BOOLEAN  X BOOLEAN  -->  BOOLEAN 
Meanings  usual  implication,  i.e.» 

< expre ss i on_2  OR  NOT  expressi on_l I = TRUE 
’error*  if  one  of  the  expressions  is  not  Boolean. 

i i . 5 . 2 . &4lau.£Qai_2aE.i:aLac.i 


Syntax!  exp_l  C - I “=>  exp_2 
Types  mode  X mode  -->  BOOLEAN 

the  types  of  exp_i  and  exp_2  may  be  either! 
any  type,  provided  it  is  the  same  for  both, (8) 
or:  any  type  for  one  expression  and  UNOEFINED  for  the  other, 

ors  UNOEFINED  for  oothj 
Meanings  usual  = or  * 

<t  < = , >=,  > 

Syntax:  exp_i  €>!>=!<=!<}  exp_2 

Types  number  X njmber  -->  BOOLEAN 
(where  number  is  either  INTEGER  or  REAL) 

Meaning?  the  usual  order  relations  on  numbers. 

1L  . 6 . flUfi.CsiliaQS._aQ_bLiiffla.£C.S. 

Tne  operations  on  numoers  are  the  usual  ♦■ » -»  * and  /,  where 
- can  be  either  unary  or  binary?  in  addition,  the  operator  MOO  is 
also  provided.  The  meaning  and  use  do  not  depart  from  those 
generally  encountered.  Numbers  are  either  of  type  INTEGER  or  of  type 
REAL.  Both  types  can  be  intermixed  according  to  the  following  rules! 
A binary  operotion  involving  two  integers  will  have  the  type  INTEGER, 
and  an  operation  where  at  least  one  of  the  operands  is  real  will  have 
the  type  REAL.  In  particular,  the  operator  /,  when  applied  to  two 
integers,  will  y*eld  the  integer  part  of  tne  quotient  of  the  two 
operands,  whereas  if  one  of  the  operands  is  of  type  REAL,  the  result 
should  be  the  quotient  itself.  In  addition,  some  primitives  are 
provided  in  the  language  for  specifying  the  integer  and  tract iona I 
parts  of  a real  (see  Section  11.16.1.  The  use  of  MOO  is  restricted 
to  INTEGER  operands. 

All  the  binary  operators  on  numbers,  as  well  as  those  on 
3ooleans,  or  on  sets  are  left-associative. 


(7)  When  the  term  ’error’  is  used,  it  does  not  refer  to  any 
particular  value,  but  rather  means  that  under  the  conditions 
associated  with  it  a specification  would  oe  incorrect,  as  far  as 
SPECIAL  is  concerned.  In  other  terms,  it  is  considered  as 
erroneous  to  say  “l  AND  TRUE"  as  t>  say  "00  I = l,  10"  in  a 
spec i f icat i or. 

(8)  For  more  about  type  matching  rules,  see  Section  14. 
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11.7,  Ucac.aii.iiDs._fici_S.fiti 
n.7.1.  uaar^_QctcaLar 
CARDINALITY 

Syntax*  CAROINALITY(<set  expressions 
Type*  set-mode  -->  INTEGER 

Value:  The  number  of  elements  in  tne  set  designated  by  its 

argument 

11.7.2.  B.i_Qa£*_Qfi£CaLfir£ 

JNION 

Syntax!  <set  expression*  UNION  <set  expression> 

Typel  SET_OF  ml  X SET_OF  m2  -->  SET_OF  m3 

where  m3  is  the  larger  of  ml  and  m2  if  they  match,  and  their 
union  otherwise?  note  that,  when  the  types  of  the  two 
arguments  do  not  match,  the  result  will  have  the  type  of  the 
minimal  union  of  the  two  types,  e.g., 

If  the  type  of  si  is  "SET_OF  INTEGER** 

and  the  type  of  s2  is  **ONE_OF  ( SET_OF  BOOLEAN,  SE  T_0F  CHAR)*' 
then  si  UNION  s2  will  be  a 

**ONE_OF(  SE T_OF  0NE_0F{  BOOLEAN*  INTEGER)* 

SE  T_0F  0NE_0F  (CHAR  * INTEGER))** 

Meaning:  The  usual  union  of  two  sets. 


INTER 

Syntax:  <set  expression*  INTER  <set  expression* 

Typel  SE T_0F  ml  X SET_OF  m2  -->  SF.T_OF  m3 

where  m3  — ml  if  ml  is  the  same  as  m2;  generates  an  error  if 
mi  and  m2  refer  to  disjoint  types,  and  m3  is  the  intersection 
of  mi  and  m2  otherwise. 

Example: 

If  SI  is  of  type  ’*  S E T _0  F ONE_OF  ( INTEGER*  BOOLEAN)** 
and  S2  of  type  **ONE_OF(  SET_0F  INTEGER,  SET_OF  CHAR)’*, 
then  si  INTER  s2  is  of  type  **SET_OF  INTEGER** 

Meaning:  usual  set  intersection. 


DI  FF 

Syntax:  set_i  DIFF  set_2 

Type:  SE  T_OF  ml  X SET_0F~m2  — > SET_OF  ml 

Generates  an  error  if  mi  and  m2  cannot  have  any  common  value. 
Example! 

If  set_l  is  of  type  **SET_0F  ON£_OF  ( I NTEGER , BOOLEAN)**  and 
set_2  is  of  type  '*0NE_0F  <SET_OF  INTEGER,  SET_OF  CHAR)**),  then 
the  result  will  have  the  type  of  t he  first  argument. 
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Meaning?  Ex  i x « set_i  AND  x A set_2> 
1 1 . 7 . 3 . Predicates 


INSET 

Syntax:  <e xpressi on>  INSET  <set_expressl on> 

Type:  mi  X SET_OF  m2  -->  BOOLEAN 

Generates  an  error  if  mi  and  m2  are  totally  disjoint  types 
(as  with  DIFF). 

Meaning:  The  expression  is  TRUE  if  the  first  operand  is  in 

the  St t represented  by  the  second* 

SUBSET 

SynTax:  set_l  SUBSET  set_2 

Type:  SET_OF  ml  X SET_OF  m2  — > BOOLEAN 

mi  and  m2  are  sub| ect  to  the  same  constraints  as  with  INSET* 
Meaning:  The  expression  is  TRUE  iff  set_i  is  a subset  of 

set_2.  Note  that  "si  SUBSET  s2"  can  be  defined  as  : 

FORALL  X INSET  si:  X INSET  s2 

h.7.4.  S.fe.L_C.flQatny 

Explicit  Constructor 

Syntax:  *C*  expressions  t ...  , expressions 

(Here,  tne  curly  OracKets  are  actual  symbols  of  the 
I an  guage . ) 

Type:  If  all  the  expressions  have  the  same  type,  let  us  say 

t,  then  tne  result  will  be  of  type  ”S£T_0F  tM;  otherwise,  it 
will  be  '*SET_OF  0NE_0F ( ti , . . , t J ) ” where  the  united-type  is 
the  minimal  union  of  the  types  of  the  expressions* 

Value:  The  set  S such  that: 

expressions  « S (i  =1,  2***»n) 

Implicit  Constructor 

Syntax:  *C*  <simole  declaration>  *1*  <expression>  • )• 

Type:  < express! on>  must  oe  Boolean?  result  is  of  type 

"SE1_0F  t '*  where  t is  the  type  of  the  variable  appearing  in 
the  declaration. 

Value?  "Ct  x I e(xl}“  is  the  set  of  all  x*s  of  type  t such 
that  e ( x ) is  TRUE* 

1 1 . a . Qfi£Haii.aQs._an_y.£C.Lacs. 

Extractor 

Syntax:  <vector  expression>  [<integer  expression* ] 

Type:  If  tne  first  operand  is  of  type  "VECTOR_OF  t",  the 

result  will  be  of  type  t. 

Value?  vt i ] is  the  ith  component  of  the  vector  v* 

LENGTH 

Syntax?  LENGTH (< vector  expressions 
Type:  VEC T 0P_0F  mode  -->  INTEGER 

Value?  the  numoer  of  components  (dimensionality)  of  its 
operand. 
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Explicit  Constructor 

syntax:  VECTOR ( exp_l ,...» exp_n) 

Type:  If  exp_i » . • • ,exp_n  are  all  expressions  of  type  t*  then 

The  result  will  oe  of  type  "VECTOR_OF  t"?  if  the  types  are 
different.  The  result  will  oe  a vector  of  the  minimal  union 
of  these  types. 

Val uei  V such  that 

LENGTH  (V)  = n and 

Vtil  = exp_i  for  i = l»  2»»..»  n 

Implicit  Constructor 

Syntax:  VECTOR  *(*  FOR  <symool>  FROM  <expression> 

TO  <expression>  *1*  <expression>  *) * 

Type:  If  the  last  expression  always  has  the  type  t,  then  the 

result  wi  I I be  a MVECT0R_0F  t '*  (the  expressions  following 
FROM  and  TO  must  have  the  type  INTEGER).  Note  that  this  is 
tne  only  place  in  the  language  where  a name  is  bound  to  an 
object  that  need  not  be  previously  declared?  the  symbol 
following  FOR  is  a locally  bound  variable  whose  type  is 
always  INTEGER. 

Value!  V = VECT0R(  FOR  1 FROM  expi  TO  exp2  I f(l>) 
is  the  vector  such  that: 

LENGTH ( V ) = exp2  - expi  t l and 

VCil  = f (expi  ♦ i - 1)  for  i = 1,  2,...,(exp2  - expi  * 1) 
11.9.  Ql>e.r  alxaDi-fiQ-SiCiiiiVACfiS 
Extractor 

A reference  to  a particular  field  of  a structure-expression 
(i.e.t  an  expression  whose  type  is  a structured  type)  can  be 

made  by  appending  a *.*  followed  by  the  name  of  the 
particular  field  after  the  structure-expression  itself.  The 
syntax  is  thus: 

<expression>  *•*  <symbol> 

Type:  The  type  is  that  associated  witn  the  field  name  in  the 
structure  declaration. 

Meaning:  The  structure  expression  being  a tuple,  the 

extractor  refers  to  the  value  of  tne  nth  element  of  this 
tuple*  if  the  field  name  appeared  in  the  nth  position  in  the 
structure  declaration. 

Explicit  Constructor 

Syntax:  •<•  e xp_l , . . . , e xp_n  *>* 

Type!  tl  X ....  X tn 

where  ti  is  the  type  of  the  ith  expression  in  the  list. 

Value:  the  tuple  whose  ith  element  is  exp_i , for  i from  1 to 

n. 


Implicit  Constructor 

Syntax:  •<*  FOR  <symbol>  FROM  <expression>  TO  <expression> 

* : * <expressi on>  * >* 

Type!  t X ....  X t 

i.e.t  the  n-fold  Cartesian  product  of  the  type  of  the  third 
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expression*  where  n is  the  difference  between  the  second  and 
first  expressions. 

Meaning!  The  tuple  < exp_l* . . . * exp_n  > where  exp_l  is  the 
value  of  the  third  expression  evaluated  when  the  indicia! 
variable  (i.e.*  the  <symbol>)  has  the  value  of  the  expression 
following  FROM*  augmented  of  i-1. 

1 1 . 1 d . fludDii.iJuSi_tifiCSiiiLU.aQi 

Although  quantified  expressions  are  constrained  to  yield  a 
Boolean  value*  they  have  oeen  placed  in  this  separate  section  because 
of  their  particular  syntax  rules. 


Joiversal  Quantifier 

Syntaxi  FORALL  C < qua  I i f i c at i on>  I < dec  I arat i on >> 

C *;*  C< qua  I i f ica t ion>  I <dec I arat ion> > J* 
• : * <expressi on> 


with!  <qua I i f icat i on>  it  = €<simole  declaration>  I <symbol>> 

CINSET  I •!*>  <expression> 


Type!  BOOLEAN 

Meaning!  as  in  predicate  calculus 

Remarks!  The  <exoression>  following  the  '!*  will  presumably 
depend  on  the  variables  declared  after  the  quantifier.  These 
variables  are  bound  locally*  only  in  the  last  expression  (see 
Scope  Rules*  Section  12).  The  optional  qualification  may  be 
used  to  further  qualify  the  variable,  without  complicating 
the  main  quantified  expression. 

The  general  way  of  expressing  something  such  as  “for  all  x*s 
such  that  P(x)»  Q(x)  is  true"  is! 


FORALL  x I P(x)  ! Q(x) 

whereas  “for  all  x*s  in  the  set  S,  Q(x>  is  true"  would  be 
written  as ! 

FORALL  X INSET  S 1 Q(x) 

(Note  that*  in  toe  two  examples  above*  we  used  the  deferred 
binding  facility,  presuming  that  x appeared  in  the 
DECLARATIONS  paragraph. ) 

Several  variables  may  be  quantified  simultaneously*  e.g.* 

FORALL  X I P (X)  ; y I Q(y)  * z : R(x*  y*  z) 

In  such  a case*  each  quantified  variable  may  appear  in  its 
own  qualification  and  in  the  main  (quantified)  expression* 
bur  not  in  the  qualification  of  another  variable. 

The  aDove  expression  has  the  following  meaning! 

FORALl  x ! FORALL  y 1 FORALL  z ! P (x ) ANO  Q(y>  =>  R(x,  y,  z> 


Existential  Quantifier 
Syn  tax ! 
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EXISTS  E<qual i f ication>  I <d ec I arat 1 on> } 

C •;*  C<qual i f icat ion>  I <dec I arat ion>> 

: <expression> 

Type:  BOOLEAN 

Meaning:  as  in  predicate  calculus 

Remarks:  same  as  above. 

11.11.  C.2naiii2Q4l_£>iacfi.is.LaQS 

Syntax:  IF  <expression>  THEN  <expression>  ELSE  <exoression> 

Type:  Consider  the  expression 

IF  P THEN  el  ELSE  e2 

If  el  and  e2  have  the  same  type,  that  type  will  be  the  type 
of  the  whole  expression;  if  one  of  el  and  eZ  (or  both)  is 
UNOEFINED  or  ?,  then  the  type  will  match  anything.  If  the 

types  of  el  ahd  e2  do  not  match.  then  the  type  of  the 
expression  will  oe  the  union  of  the  type  of  el  and  the  type 
of  e2 * 

Meaning:  x = IF  P THEN  el  ELSE  e2  is  an  abbreviation  for 

(P  ANO  (x  = el))  OR  ((NOT  P)  ANO  (x  = e2) 

Remark:  The  ELSE  part  must  always  be  present! 

11.12.  LIP 

This  kind  of  expression  Is  orobaoly  the  most  complex 
construct  of  the  language.  It  is  intended  to  be  used  in  cases  where 
tne  type  of  an  object  used  m the  system  being  specified  cannot  be 
Known  before  execution  time.  Its  purpose  is  to  allow  a temporary 
alteration  of  the  type  of  an  object,  from  a united  type  to  one  of  the 
component  types.  This  is  particularly  desirable  because  it  permits 
tne  application  to  the  object  of  some  operations  that  would  not  be 
defined  on  the  united  type  without  compromising  the  safety  of  type- 
cneck  ing. 


Syntax: 

TYPECASE  <symbo I > OF 
type_i:  exp_l» 

type_2:  exp_2; 


type_n:  exp_ni 
ENO 

Type:  The  type  of  the  whole  expression  will  be  the  minimal 
union  of  the  types  of  exp_l*..«.  exp_n.  in  the  sense  tnat.  if 
exp_l . • . exp_n  all  have  the  same  type  t,  then  t will  be  the 
type  of  the  expression.  otherwise.  the  type  will  be 
ONE_OF ( t 1 . t2»...»tk)  where  tl....tk  are  all  different,  and 
are  types  of  e xp_i . . . . » e xo_n  (in  no  particular  order). 
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Meaning!  The  value  of  the  expression  is  more  easily 
understood  by  using  tne  me  ta- f unc  t ion  Mtype_of'*  the  value  of 
which  would  De  the  type  of  its  single  argument. 

Then,  for  instance 

a = TYPECASE  w of 
type_i:  exp_l? 

tyoe_2*  exp_2? 
type_3!  exp_3? 

ENO? 

would  mean 

((type_of(w)  = type_l)  AND  a = exp_l> 

OR  ((type_of(w)  ~ = tyoe_l 

AND  type_of(w)  = tyoe_2) 

ANO  a = exp_2) 

OR  ((type_of(w)  ” = type_l 

AND  type_of(w>  “=  type_2 
AND  type_of(w)  = type_3) 

AND  a = exp_3) 

(iiHaCtli. ! There  are  several  restrictions  imposed  on  the  use 
of  this  construct.  We  will  call 

* ¥£C.i.2bJ.e  the  variaole  following  the  Keyword  TYPECASE? 

* c_.as.fc  I aoe  I s the  types  type_l,...t  type_n? 

* £siS.si  feiS.IlC.£S.S.iaa.a  exp_.lt.  «.t  exp_n? 


* The  type  of  the  case  variable  must  be  a united  type  equal  to 
the  type  that  would  be  obtained  by  taking  the  union  of  all  the 
case  labels. 

Example:  If  w is  of  Type 

0NE_0F ( INTEGER.  BOOLEAN,  capability) 
then 

TYPtCASE  w of 
INTEGER!  w? 

BOOLEAN!  IF  w = TRUE  THEN  1 ELSE  05 
capability:  get_uid(w)? 

END  ; 

is  a valid  expression? 

TYPECASE  w of 

0NE_0F( INTEGER.  300LEAN ) I TRUE? 
capabx I i ty : FALSE  ? 

END  ? 

is  also  valio. 
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(As  an  illustration,  let  us  mention  tnat  the  first  expression 
would  nave  the  type  0NE_0F  ( INTEGER,  ’*type_of  get_uid"),  whereas 
the  second  one  would  have  the  type  BOOLEAN.) 

On  the  contrary, 

TYPECASE  w OF 
INTEGER*  I? 

BOOLEAN  * L5 
END  ; 

is  incorrect  because  one  of  the  types  ts  missing. 

* Since  the  expression  itself  has  a type,  regular  type  checking 
is  performed. 

* When  the  type  of  each  case  expression  is  evaluated,  if  the  case 
variable  appears  in  the  expression,  it  is  taken  to  have  the 
type  of  the  corresponding  case  label. 

11.13*  LLL_E.X&C£.S.£.ISLQ£ 

It  is  sometimes  necessary  to  oind  some  variables  locally  inside  a 
particular  expressions.  Yet  their  use  is  generally  very 
limited.  When  it  seems  to  be  really  necessary,  the  user  can 
declare  a list  of  variables  immediately  before  using  them, 
their  scope  is  restricted  to  one  single  ex press ion,  and  the 
syntax  for  this  construct  is* 

LET  <qua I i f icat i on>  C ' I*  <qua I i f i ca t i on>  >* 

IN  <expression> 


The  value  and  tne  type  of  this  expression  are  those  of  the 
expression  following  the  keyword  IN.  The  closest  approximat ion  to 
tne  semantics  of* 

y = LET  x * P(x>  IN  «J(x  ) 

is  something  like 

+ x such  that  P(x)  AND  (y  = D(x>) 

out  this  is  only  an  example  of  the  use  of  this  construct. 

11.14.  iQl&_tX.aE12^iiaQ  S. 

The  SOME  construct  can  be  viewed  as  a kind  of  set  extractor. 
Tne  syntax  i s s 

SOME  <simple  declaration>  CINSET  I •**>  <expression> 


The  meaning  of  an  expression  such  as 


Page  Z 8 


SPECIAL  Reference  Manual 


August  13 1 1976 


SOME  x INSET  S 
Ltl  x 1NSLT  S IN  x 
and  similarly  if  • I * is  used. 

Tne  following  example  illustrates  the  use  of  this  constructi 

EFFECTS _0F  wake_up(  SOME  process  p 

INSET  wai t i ng_proc esses ( semi) ) 

which  might  Ds  an  assertion  inside  the  specification  for  a 
synchronization  primitive. 

11.15.  Ikfc_MLH_£ciml t i ve 

NEW  is  a special  construct  that  has  the  same  syntax  as  a 
function  of  one  argument: 

NEW  *(*  <sy mbo I > • ) • 

where  the  argument  should  be  the  name  of  a designator  type.  The  type 
of  t ms  expression  is  precisely  this  identifier,  and  the  meaning  is 
tnat  NEW(t)  represents  an  object  of  type  t tnat  has  never  been  used 
03  f ore. 


An  error  will  occur  if  the  argument  is  not  a DESIGNATOR  (even 
an  external  DESIGNATOR  will  not  work). 

11.16. 

In  addition  to  tne  various  operators  and  constructs  presented 
aoove,  tne  language  contains  several  functional  primitives. 

MAX,  MIN 

Syntax:  CMAX  I MINI  *(*  <expression>  *)* 

Type:  SET_0F  numoer  -->  number 

(wnere  number  is  either  INTEGER  or  REAL) 

Value:  the  largest  (respectively  smallest)  element  in  the  set 
described  in  the  expression. 

SUM 

Syntax:  SUM  *(*  <expression>  •)• 

Type:  SET_0F  numoer  -->  number 
or:  VECT0R_GF  number  -->  number 
Value:  tne  arithmetic  sum  of  all  the  elements  in  the  set 

(respectively  vector). 

INTPART,  FRACTPART 

syntax:  CINTPART  I FRACTPART}  •(•  <expression>  •)• 

Type:  REAl  -->  INTEGER  (resp.  REAL) 

Value:  T nese  two  constructs  can  be  viewed  as  predefined 

macros : 
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INTEGER  I NT  PART  ( REAL  x ) IS  SOME  INTEGER  y 1 y <=  x ANO  y «- 1 
> x; 

REAL  FRAC  TPART ( REAL  x ) IS  X - I NT PART ( x )? 

They  define*  respective  ly * the  integer  and  fractional  pari  of 
tne*r  argument  (surprised?). 

* * # * * * 

This  concludes  our  synTactic  description  of  the  language  for 
Tiodule  specifications.  We  will  now  concern  ourselves  with  some 
additional  precisions  concerning  the  use  of  certain  objects. 


12.  PRECEDENCE 


The  large  number  of  operators  in  the  assertion  language 
requires  a precise  definition  of  the  precedence  ordering*  that  is*  if 
opl  and  op2  one  two  operators  (let  js  say  binary)*  we  say  that  opi 
has  a higher  precedence  tnan  op?  if 

el  opl  e2  op2  e3 

has  the  same  meaning  as 

(el  opl  e2 ) op2  £3 

and 

el  op2  e2  opl  e3 
has  the  same  meaning  as 

el  op2  (e2  obi  e3) 

(Note  that  any  expression  can  always  be  enclosed  within  parentheses.) 

A general  rule  is  that  an  operator  returning  a Boolean  valued 
expression  has  always  a lower  precedence  than  an  operator  that 
returns  another  type.  This  rule  is  of  course  insufficient  to  compare 
operators  returning  the  same  type  of  expression. 

The  ordering  is  partial*  since  the  operators  cannot  be  freely 
combined  in  the  text  (e.g.»  INTER  can  hardly  oe  compared  with  «• ) . 

The  operators  are  listed  in  decreasing  order  of  precedence. 
Constructs  that  do  not  lead  to  ambiguities  (reference  to  functions* 
LENGTH*  CARDINALITY*  NEW*  vector  subscripting*  TYPECASE*  FORALL* 
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tXISTS,  vector  and  set  constructors,  LET,  and  SOME)  are  not  listed. 
Out  it  sfould  be  noted  that,  when  used  as  operands  with  any  of  the 
operators  lasted  below,  tne  constructs  using  IF,  ICT,  SOME,  FORALL, 
EXISTS,  and  TYPECASE  should  be  enclosed  within  parentheses. 


LbllkSkE 

unary  - 
*,  / , MOO 

♦ , - 


iaakEAM  sslLs. 


INTER 

UNION,  OIFF 

= , ~ , <,  < - , >= , >, 

INSET,  SJ3SET 

NOT 

ANO 

OR 


Of  interest  are  the  places  of  NOT,  INSET  and  =>  t thus 
(NOT  x)  INSET  S 

is  meaningful  only  if  x has  the  type  BOOLEAN  and  s is  a set  of 
BOOLEAN  (for  instance  ETRJET) 

NOT  x INSET  s =>  P(x) 

means  (x  INSET  s)  OR  P(x)  . 


13.  SCOPE  RULES 


A name  designates  an  object  by  two  mappings*  one  from  the 
name  to  a type  and  the  other  from  the  name  to  a "binding**  (in  the 
sense  described  in  Section  4). 

The  basic  rule  is  that  a name  cannot  oe  used  in  an  expression 
if  tne  value  of  either  of  the  two  mappings  is  undefined. 

Tne  dual  possibility  of  associating  a name  with  a type 
through  a declaration  has  been  describe;!  at  length  in  Section  4 and 
is  not  repeated  here. 
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13.1.  1 D.a_3.i.asHaa 

The  handing  of  an  object  is  estaolished  by  declaring  the  name 
one  wishes  to  associate  with  the  object  in  a predetermined  place  in 
the  text*  wnich  depends  on  the  category  of  the  object  itself  (by 
"dec  I ar i ng" , we  mean  that  the  name  can  appear  in  a declaration,  in  a 
neader,  or  in  the  place  of  a declaration  in  the  case  of  deferred 
Dinding) . 


Here  is  a table  that  indicates  the  place  where  a binding  is 
estaol ishad. 


aaLasi 

Global  definition 

tocal  definition 

Formal  argument 

Resu  1 1 ar  gument 
Quantified  variable 
Locally  bound  variable 


amdlaa 

Definition  in  the  DEFINITIONS 
par  agr  aph 

Definition  in  the  DEFINITIONS  section 
o f a f unc  t i on 

When  appearing  in  a function  or  macro 
header 


When  appearing  after  FORALL  and  EXISTS 

When  appearing  between  • C*  and  *1*,  or 
after  FOR,  LET  or  SOME 


13.2.  ££2ttsL_ai_a_ai(l£lia3 

We  define  the  scope  of  a name  as  that  part  of  a module 
specification  where  the  name  may  be  used  in  an  expression, 
independently  of  the  constraints  imposed  by  type  compatibility. 


Generally,  a binding  is  valid  from  the  place  where  it  was 
established  up  to  some  precise  place,  given  oelow  (although  in  some 
cases  we  give  the  scope  itself  rather  than  the  place  where  the 
pinding  is  destroyed). 

22l£.£i  fliadiaa 

Global  definitions  I he  whole  module 


Formal  and  result  arguments  Valid  only  in  the  specification  of  the 

corresponding  function  or  in  the 
expression  defining  the  macro 

Locally  bound  variable  The  a xpressi on (s ) following  the  * I * » 

INSET  or  *»•  after  FORALL,  EXISTS, 
LET,  SOME,  and  in  set  and  vector 
constructors. 
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An  important  additional  comment  is  that,  al though  it  is 
permitted  to  alter  a valid  binding  temporarily  (e.g.,  by  using  the 
name  of  a formal  argument  as  a locally  bound  war iabl e) « this  will 
nask  the  original  binding  for  tne  scope  of  the  new  one.  It  seems 
thuf  this  practice  shou  I d be  avoided,  inasmuch  as  it  can  bring  only 
confusion  in  the  specification. 


14.  COERCION  RULES 


As  has  oeen  said  in  Section  5*  a united  type  is  very  close  to 
being  a type  by  itself.  and  norma  I I y an  expression  of  a united  type 
snould  not  match  an  expression  of  one  of  the  components  of  the  united 
type.  However,  such  compatibility  is  permitted  in  some  cases.  The 
determination  of  these  cases  is  oased  on  what  is  known  as  the 
"coercion  rules”. 

The  first  case  of  coercion  is  the  TYPECASE  expression,  which 
snould  be  the  normal  (and  only)  way  to  coerce  “downwards",  i.e..  from 
a ur.iteo  type  to  a component  type.  Upward  coercion  (l.e.»  when  an 
expression  of  a simple  type  is  implicitly  converted  to  a united  type 
containing  the  original  type  as  one  of  its  components)  may  take  place 
in  the  following  cases* 

* When  a formal  argument  to  a function  is  of  a united  type*  the 
corresponding  actual  argument  may  be  of  a component  type. 

* In  an  expression  of  the  form  a = b.  where  a is  a quo  t ed  V- 
function  reference,  the  result  argument  of  the  V-functlon  being 
of  a united  type,  and  0 is  an  expression  of  a component  type. 

The  actual  rule  is  the  same  as  aoove  for  TYPECASE  expressions 
and  actual  arguments  to  functions.  It  is  more  general  in  the  other 
cases,  where  an  attempt  to  match  a united  type  against  one  of  its 
components  is  tolerated,  albeit  with  a warning  message  which  will 
hopefully  remind  the  user  that  he/she  is  walking  on  dangerous  ground. 
A warning  message  will  also  be  issued  when.  in  the  constructs  IF, 
SET,  and  VECTOR.  tne  types  of  the  constituent  expressions  do  not 
match.  However,  this  will  not  be  tne  case  for  the  binary  operators 
on  sets,  UNION.  INTER.  UIFF,  INSET,  and  SUBSET. 
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15.  COMMENTS 


Although  it  nas  oeen  barely  mentioned  so  far,  the  language 
nas  a comment  feature!  A comment  consists  of  the  sign  * $*  followed 
oy  a sequence  of  characters  without  any  space,  parentheses,  or  square 
oracket?  or  by  a string  of  characters  enclosed  within  two  double- 
quote signs  (")  (the  string  itself  containing  no  doub 1 e -quot e ) ? or  by 
any  sequence  of  characters  enclosed  witnin  two  matching  parentheses 
or  square  brackets  (in  tne  case  of  parentheses,  the  sequence  must  not 
contain  any  right  square  oracket  that  is  not  preceded  in  the  sequence 
oy  a left  one).  More  briefly,  a comment  can  be  described  as  a *$* 
followed  by  any  arbitrary  LISP  S-expressi on— see  (Tei  75). 

A comment  may  appear  at  any  place  where  a space  is  legal 
(i.e.,  anywhere  except  in  tne  middle  of  a syntactic  unit). 


16.  MAPPING  FUNCTION  EXPRESSIONS 


The  spe c i f i c a t i on s for  mapping  function  expressions  follow  a 
slightly  different  syntax,  although  tne  •‘expression"  part  of  the 
language  is  exactly  the  same. 

16.1.  daluls-tiaaias 

A list  of  mapping  functions  specifications  should  begin  with 

MAP  modu I e_l  TO  modu I e _2 » » • • » module_k» 

wnere  modul e_l  is  the  module  containing  the  functions  and  parameters 
to  be  expressed  as  functions  of  elements  of  modu  1 e_2  * • • • » ifiodu  I e_k  5 
module_l  is  referred  to  as  the  "target"  module. 

15.2.  HP.L.S. 

The  TYPES  paragraph  is  similar  to  the  one  described  for 
module  specifications,  and  it  abides  by  the  same  rules. 

1 6 • 3 . 

The  same  conventions  for  deferred  binding  can  optionally  be 
applied  and  the  DECLARATIONS  paragraph  provides  the  same  facility 
towards  this  end. 
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lb.  4.  aLFIHILiabli 

The  same  macro  capabilities  are  provided  in  the  DEFINITIONS 
para  graph. 


16.  b.  £mj*Nft.LRLF£ 

An  EXTEPNALREFS  paragraph  similar  to  the  one  optionally  used 
in  a module  spec i f i ca t i on  is  mandatory  for  mapping  functions?  it  must 
contain  declarations  for  all  the  primitive  objects  (i.e.»  designator 
3nd  scalar  types*  parameters*  and  (/-functions  tnat  are  not  derived) 
appearing  in  the  mapping  function. 

16.6. 

The  MAPPINGS  paragraph  begins  with  MAPPINGS,  It  contains  a 
list  of  pairs  of  the  form 

<ooject>  : <expression> ? 

or 

<symbol>  * <type  spec i f ica t i on> ? 

wnere  <expression>  is  any  expression  satisfying  the  rules  described 
earlier,  ana  <ob)ect>  is  one  of  the  following* 

* The  name  of  a parameter  of  the  target  module 

* the  n=me  of  a scalar  tyoe,  in  which  case  <expression>  must  be  a 
set  expression  consisting  of  a list  of  as  many  expressions  as 
there  are  constants  in  the  scalar  type  definition* 

* A construct  of  tht  form 

<symool>  (<argumeot  list») 

wnere  <symool>  is  tne  name  of  a visible  \/-function  or  a parameter 
(with  arguments)  of  the  target  module,  and  <argument  list>  is  a list 
of  formal  arguments  in  the  usual  sense. 

The  same  scope  rules  apply*  except  that  there  is  no  result 
ar  gumen  t . 

Tne  type  of  each  expression*  derived  from  the  types  of  its 
various  components  declared  eitner  in  the  declarations  or  in  the 
source  modules*  should  be  the  same  as  that  of  the  associated 
parameter  or  V-functlor.  An  the  target  module*  or  a set  expression  in 
the  case  of  a scalar  type  name. 

In  tne  second  form*  the  symbol  should  be  the  name  of  a 
designator  type  of  the  target  module,  ard  the  type  specification 
shou I o be  legal  in  at  least  one  of  tne  lower  modules. 
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1 7.  the  tenex-interlisp  implementation 


The  properties  of  specifications  can  oe  checked  automatically 
oy  o “specification  handler".  Such  a program  has  been  written  to  run 
under  the  TENEX  operating  system  on  a PDP-10  machine,  some  of  the 
conventions  used  (e.g.,  for  strings)  are  a consequence  of  the 
conventions  used  in  the  implementation  language  (namely  INTERLIS  . 

17.1.  SlOiaiS 

A string  is  the  equivalent  of  an  INTCRLISP  string,  i.e.,  an 
arbitrary  sequence  of  printable  ASCII  cnarecters  enclosed  within  two 
••  (double-quote)  » where  the  characters  " ar  d % have  to  be  represented 

as  X"  and  XX • 


1 7.2.  I j2e 


An  identifier  (generally  represented  as  <symbol>  in  this 
manual)  is  any  sequence  of  up  to  1E6  printable  ASCII  characters  which 
is  not  a number,  which  does  not  contain  any  of  the  characters  (,  , 

( , 1 , C » > » !»•*  • • * 


. . , , " » + , * » ' ’ 

and  which  does  not  start  with  either  " or  #. 
perfectly  legal  identifier. 

17.3.  E.  jJ_e._lDC.iuai.aa 

If  the  character  # appears  after  any  of  the 
in  the  previous  paragraph,  the  next  expression 
sense)  will  be  interpreted  as  a file  name,  and  the 
its  input  from  that  file  until  an  end  of  file  is 
point  it  will  come  back  to  the  original  file.  This 
i.e.,  the  included  file  may  itself  include  a 
although  a file  may  not  include  itself,  directly  or 


/,  •,  ',  ?,  $,  space? 

Note  that  17Ad!  is  a 


characters  listed 
(in  the  INTERLISP 
program  will  t ake 
reached,  at  which 
may  oe  repeated, 
third  one,  etc., 
ind irect 1 y . 


13.  CONCLUDING  REMARKS 


The  reader  may  have  noticed  (oy  tne  very  absence  of  such 
expressions)  that  nowhere  have  we  spoken  of  “the  value  of  a variab  e 
or*  "the  contents  of  a variable".  Such  pnrases  nave  been  Icarefu  y) 

.:s^--s=rs-.-^r-r?K 
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concept  of  a pointer*  and  this  could  be  introduced  only  as  a 
deSi gnat  or. 

SPECIAL  is  often  modified  to  deal  with  previously  unsuspected 
problems.  Part  of  the  work  to  be  done  in  order  to  design  a good 
soe  c i f i cat  i on  language  is  to  understand  fully  the  concepts  involved 
and  the  spec  i ti  ca  1 i on  methodology  on  which  the  language  is  based.  A 
very  desirable  goal  would  also  be  the  complete  ax iomat i Z3t ion  of  the 
language  constructs*  similar  to  the  work  done  on  Pascal  by  Hoare  and 
Wirth  (Hoa  73).  We  hope  to  come  jp  with  such  a formalization  in  the 
(more  or  less)  near  future. 
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APPENDIX  A J GRAMMAR 


Lsuaaa*  Tne  grammar  for  the  specification  language  is  given 
in  the  so-called  extended  BNF*  where  <...>  means  that  the  enclosed 
symbol  is  a nonterminal  of  the  grammar?  [...]  means  that  the 
enclosed  construct  is  optional?  means  that  the  enclosed 

construct  can  occur  0 or  more  times?  C...3+  means  1 or  more  times* 
and  {•••  ■ •••  I •••)  means  an  alternation*  i.e.*  any  of  the 

constructs  listed  can  oe  used. 

For  convenience*  all  the  nonal phaoetic  terminals  have 
Deen  enclosed  within  sample  quotes  (*). 

<sy  mbo I > stands  for  any  i Jent i f ier  f <number>  for  any 
integer  or  real  number. 
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ROOT 


<t  y pes> 

<typedeclaratior.> 

<typespecification> 


Pimple  declaration> 

< dec laration> 

< de c I ar  a t * ons> 
Parameters  > 
<parameterdfcClaratlon> 

<f  orma I args > 

<dec  laratiOnl is  t > 

<de  f ini t ions> 


Ji=  MODULE  <symbol>  [<types>]  [ <decl ara t ions> ] 

[ < par ame t ers > 1 f < de  f in  i t i ons  > J 
l < ex  t e rn  a 1 re  f s > 1 [ < f unc  t i ons  > 1 
EN0_M  ODULE 

sj=  MAP  <symbol>  TC  <symbol>  C *,*  <symbol>  J*  *?* 
I<types>l  t<dec I arat i ons>  1 C <pa r ame tens > ) 
[<defimfions>]  t<externalrefs>l  ' 

[ <mappings>]  EN0_MAP 

:t=  TYPES  C <typedecl  arat  ion>  *?*  T+ 

::=  <symbol>  C *»*  <symbol>  }*  *1* 

C DESIGNATOR  1 <t ypespec i f ica t i on> 

! <set express ion>  > 

s : = <sy  moo  I > 

«*  = INTEGER 
::=  BOOLEAN 
::=  REAL 
: l = CHAR 

::=  STRUCT  •(•  <dec» arationl ist>  *)* 
i{=  0NE_0F  •(•  < t ypespec i f ica t i on> 

C *,*  <typespecif ication>  >+  *)* 

::=  C S E T_0F  1 VECTOR_OF  1 < typespec 1 f i c at i on> 

ti=  <r y pe spec i f i ca t i on > <symbol> 

**  = <simple  declaration>  C *»*  <symbol>  }* 

::=  <symbol> 

tt=  DECLARATIONS  C < dec  I ara 1 1 on > * »*  > + 

PARAMETERS  C <par ameterdec I arati on>  *;*  >+ 

st=  < t y pespe c i f ica t i on>  <symbol>  [ <f or m a I ar gs > J 
C *»•  <symbol > (< formal args> 1 > 

»»  = *(*  l < dec  1 arat  ion  I 1st > J *)* 

[ •[*  <dec larationl ist>  *]*  ] 

:»  = < dec  I arat i on>  C •;*  < dec  I arat ion>  > * 

::=  DEFINITIONS  C <definition>  }+ 
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<<Je  f Ani  t i.on> 

<e  x t erna  I re  f s> 
<e  x t erna I gr oup> 
< a x t erna  J re  f > 


< f unct i ons> 

< f unct ionspec> 


<de  I ay> 

<5  xcept i ons> 

< e f f ect  s > 

< n a pp ings> 
<napp*ng> 

<expresSion> 


**  = <ty pespec  i f *cation>  <symboi > I <f orm a I ar gs> 1 
IS  <expression> 

::=  EXTERNALREFS  C external  group  >♦ 

li=  FROM  <symbol>  •*•  C <externa I ref > >♦ 

s : = <oar aneter dec  1 arat ion> 

«*  = <sympo I > C <symbol>  J*  ’«•  DESIGNATOR 

::=  <symbol>  <setexpression> 

tt=  C VFUN  I OVFJN  } <symbol>  <formalargs> 

*->•  <dec I arat ion> 

{*=  OFUN  <syubol>  <f ormal args> 

si-  FUNCTIONS  C < f unctionspec>  >♦ 

•J=  VFUN  <syubol>  <formalargs> 

*->*  < dec  I arat i on> 
t <de  f i ni t i ons  > ] 

IC  HIDDEN  ■ J*  I <exceptions>  >] 

C INITIALLY  I DERIVATION  > <exoression>  •?• 
Jt=  OVFUN  <symbol>  < f orma I args> 

•->•  < dec  I arat * on> 

I <de f i n 1 ti ons> J I <except ions> ] C <delay>  >* 
I <e f f ec  t s>  J 

s:=  OFUN  <symbol>  <formalargs>  I < de f in i t ions»  1 

l<exceptions>]  C <delay>  }*•  C<effects>] 


:»  = DELAY  UNTIL  <expression>  •?* 

«»  = EXCEPTIONS  C <expression> 

I EXCEPTI 0NS_0F  <call>  T >+ 

**  = EFFECTS  C <expression»  > + 

:i=  MAPPINGS  £ <napping>  )♦• 

M=  <symbol>  I < f orma I args> ] *1*  <expression> 
<symbol>  ' I*  <typespeci f lcation> 

:i=  IF  <expression>  THEN  <expression> 

ELSE  <expression> 

**  = LET  <qual 1 f lcation>  C 'i*  <qua  I i f i c a ti on> 

IN  <e  xpr essi on > 

!{=  SOME  < q ua I i f i cat  1 on> 

::=  C FORALL  I EXISTS  > <qua 1 i f \decl ara t ion  I i s t > 
• i * <e xpress i on> 
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::=  TYPECASE  <symbol*  OF  C <case>  }♦  ENO 

i:=  expression*  <binaryoperator>  expression* 
::=  C NOT  I } <expression> 

jj=  expression* 

j«=  •(•  <exonession>  *)* 

: t = <sy  moo  I > 

5S=  <number> 

»»  = <character  constant* 

;:=  <string  constant* 

t*  = TRUE  I FALSE  I UNDEFINED  I ? 

11=  expression*  *1*  expression*  *]* 
s : = <expressi on*  •.*  <symbol> 

*1  = C CARDINALITY  I LENGTH  I MAX  I MIN  S SUM 
I INTPART  I FRAC  T PART  > 

*(*  <expressian>  *)* 
is=  NEW  *(*  <symool*  ' 

: :=  IEFFECTS_OF]  <cal  I * 

: l = <5 tr uc tur econs true  tor > 
tl=  eectorconstructor* 

::  = <se t ex  press i on > 


< q ua I i f \ dec  I ara 1 1 on  I i s t * : : = C<qual I tication*  I <dec I arati on»> 

£ <qua  li f icat ion*  I < dec  1 aration*  J* 

< q ua  I i f i ca t i on*  :»  = I < t y pe spec i f * c at i on* J <symbol*  C *1*  I INSET  } 

<expressi or* 


<case>  ::  = <typespec i f icati on*  •:*  <expression> 

Ox naryoperator*  «»  = '**  I V I INTER  I *♦*  I •-*  » UNION  I DIFF  I 

•=•  j •-= • j •>•  : •>=•  j •<•  s •<=•  i 
INSET  I AND  I OR  1 SUBSET  I MOO  I •=>• 


<ca  I I * 


£•••]  <symbol>  *(*  [ <expression* 
C *»•  <expression*  >*1  *)* 


<structureconstructor* 


ii=  •<•  [ expression*  C *♦*  <expression*  >*  ] *>* 

:j=  •<•  x^ange*  ' I*  <expression>  * >• 


eectorc  on  struct  or* 


<~an  ge* 


«t  = VECTOR  *(•  I <exoression> 

C •»*  expression*  J*  ] •)• 

*:  = VECTOR  *{•  <range>  'I*  <expression>  *)* 

::=  FOR  <symool*  FROM  expression*  TO  ^expression* 


<s e t e xpress i on* 


: i = 


•C* 
* C* 


t <expression>  C *,*  <expression>  >*  1 
[ < t ype spec  i f i ca t i on  * 1 <symbol*  *'* 
<expressxon> 
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APPENOIX  B I RESERVED  HOROS 


The  following}  list  contains  all  t 
language*  i.t»*  the  identifiers  that  may 
arbitrary  ob)ects»  The  identifiers  T and  NIL* 
not  allowed  in  the  current  i mo  I ement at  ions  • 


he  reserved 
NOT  be  used 
al though  not 


words  of  the 
to  designate 
reserved*  are 


AND 

BOOLEAN 

CARDINALITY 

CHAP 

DECLARATIONS 
OEF INI T IONS 
DELAY 

DERIVATION 

DESIGNATOR 

DIFF 

EFFECTS 

Er FECTS.OF 

ELSE 

ENO 

END_MAP 
END.MOOULE 
EXCEPTIONS 
EX  CE  PTI 0NS_CF 
EXISTS 

EXTERNALREFS 

FALSE 

FOR 

FORALL 

-RACTPART 

FROM 

FJNCTIONS 

HIDDEN 

IF 

IN 

INITIALLY 

INSET 

INTEGER 

INTER 

INTPART 

IS 

length 


LET 

MAP 

MAPPINGS 

MAX 

MIN 

MOD 

MODULE 

NEW 

NOT 

OF 

OFUN 

ONE_OF 

OR 

OVFUN 

PARAMETERS 

REAL 

SET_OF 

SOME 

STRUCT 

SUBSET 

SUM 

THEN 

TO 

TRUE 

TYPECASE 

TYPES 

UNDEFINED 

UNION 

UNTIL 

VECTOR 

VEC  T OR_OF 

VFUN 
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*Appendix  C contains  only  those  Air  Force  comments  which  remain 
pertinent.  Many  comments  have  been  addressed  in  the  current 
specification. 


The  top  level  specification  shows  significant  progress  on  the  part  of 
Honeywell.  In  general,  the  functions  provided  in  specification  appear 
adequate.  However,  there  are  several  potential  difficulties  with  the 
current  specification.  These  difficulties  relate  to  the  specification 
detail  and  style  and  the  specific  design  decisions. 

The  specifications  in  their  current  state  are  more  detailed  than 
necessary  for  a top  level  specification.  The  top  level  specification 
need  specify  only  what  the  kernel  does.  The  current  specification 
indicates  how  the  kernel  is  implemented.  Specifying  too  much  detail 
has  the  drawback  of  complicating  the  proof  of  correspondence  between  the 
kernel  and  model  elements.  The  extra  detail  makes  the  specifications 
longer  which,  in  turn,  make  the  proofs  longer  and  more  complicated. 

Also  more  detailed  design  decisions  are  more  subject  to  change.  Changes 
to  the  kernel  design  after  the  proofs  could  be  costly  because  signifi- 
cant effort  may  be  required  to  reprove  the  specification. 

The  detail  of  the  current  specification  is  not  consistent.  The  report 
provides  great  detail  about  some  aspects  of  the  kernel  but  lacks  detail 
regarding  other  aspects  for  no  apparent  reason.  For  example,  the  report 
details  the  effect  of  encountering  a missing  page  (in  spite  of  the  claim 
that  paging  is  invisible)  but  leaves  out  other  details. 

The  memory  manager  interface  does  not  appear  adequate  to  permit  imple- 
mentation of  typical  memory  management  policies.  The  information  avail- 
able to  the  memory  manager  may  not  be  sufficient  to  implement  page 
management  strategies  such  as  least  recently  used  or  first— in,  first— out 
There  may  be  additional  data  which  would  be  helpful  and  not  affect 
security.  The  current  scheme  appears  to  restrict  the  memory  manager  to 
random  replacement  policy.*  Since  the  memory  manager  is  a system  high 
process,  it  seems  that  the  memory  manager  could  have  access  to  any  data 
maintained  by  the  kernel.  However,  the  memory  manager's  ability  to 
modify  kernel  maintained  data  has  to  be  controlled.  Typical  page  re- 
placement strategies  employ  sophisticated  data  bases  (e.g.  lists,  queues 
circular  lists,  etc.)  and  must  monitor  information  from  one  invocation 
to  another  (e.g.  pointers  to  where  the  search  for  candidates  for  removal 
ended  on  the  last  invocation,  are  often  maintained,  and  used  bits  are 
turned  off  so  that  page  use  between  successive  invocations  of  the  page 
replacement  activity  can  be  considered) . The  memory  manager  cannot 
reasonably  obtain  such  information  with  the  current  interface.  In  fact, 
a memory  manager  interface  that  is  both  general  and  efficient  many  not 
be  implementable . 


*Since  the  kernel  resets  the  page  used  indicators  at  each  invocation 
of  get  memory  data,  the  memory  manager  may  select  pages  not  used 
since  previous'  invocation  for  swapping  (see  Section  4.6  for  details). 


C-l 


The  report  claims  that  the  memory  manager  is  outside  the  kernel  and  can 
be  implemented  as  an  untrusted  process.  This  claim  is  not  readily 
apparent  since  the  report  does  not  provide  a proof  that  the  security 
provided  by  the  kernel  is  independent  of  the  memory  manager  and  because 
the  correct  behavior  of  the  kernel  (the  kernel's  ability  to  fulfill  its 
specification)  depends  on  the  memory  manager.  The  kernel  function 
get  memory  data  provides  the  memory  manager  with  system  high  information 
(the  security  level  of  the  used  and  modified  bits  is  the  level  of  the 
process  that  caused  the  bits  to  be  set) . The  add_pages_to_free_list  is 
an  interpretive  write  of  kernel  data.  The  level  of  the  data  provided 
to  the  kernel  is  system  high.  It  must  be  shown  that  the  data  provided 
to  the  kernel  is  not  visible  to  a lower  level  process.  Because  the 
correct  operation  of  the  kernel  depends  on  the  memory  manager,  the 
memory  manager  perhaps  requires  different  treatment  than  other  untrusted 
p£’OQ0gg05  for  policy  reasons.  Programs  outside  the  kernel  (not  including 
programs  upon  which  the  kernel  depends)  should  not  be  able  to  affect  the 
operation  of  the  memory  manager.  (For  example,  the  memory  manager  could 
operate  in  a more  privileged  ring  than  that  of  the  operating  system, 
and  the  "core"  security  kernel  could  protect  software  in  this  ring  just 
as  it  protects  the  software  of  its  own  ring.) 

The  previous  paragraphs  appear  to  conclude  that  the  approach  taken  for 
the  memory  manager  does  not  remove  the  memory  manager  from  the  kernel. 
Instead,  the  approach  may  simplify  verification  of  the  kernel  (assuming 
the  task  of  demonstrating  that  information  returned  to  the  kernel  by  the 
memory  manager  cannot  be  passed  downward  is  simpler  than  proving  correct- 
ness of  the  memory  manager) . 

The  rationale  for  not  allowing  process  creation  by  untrusted  processes 
is  not  apparent.  The  kernel  must  provide  a capability  to  create  and 
delete  processes.  The  additional  effort  to  permit  untrusted  processes 
to  use  these  functions  appears  minimal  and  may  result  in  other  simpli 
fications  of  the  kernel  such  as  the  answering  service. 

There  is  a requirement  that  the  top  level  specification  for  the  SFEP 
provide  multilevel  network  support.  Functions  in  support  of  a multi- 
level network  can  be  written  in  a general  manner  without  a specific 
network  in  mind. 

More  specific  comments  are  as  follows: 

Get  memory  data,  add_pages_to_f ree_list  - These  functions  provide  for 
memory  management.  However,  the  exception  should  include  a check  for 
the  caller  being  at  system  high. 

Get  device  data  - Since  devices  are  not  shared  or  pooled  in  the  SFEP 
33  are  memory  pages , there  may  be  no  use  for  this  function  or  the 
device  manager. 


C-2 


Async  device_read  and  async_device_write  - Since  these  are  hardware 
functions,  their  specification  must  accurately  reflect  the  hardware. 

Are  the  first  two  exceptions  that  the  device  must  be  active  and  that 
the  segment  number  hasn't  changed,  actually  checked  by  the  SPM?* 

Because  these  functions  are  performed  asynchronously,  the  exceptions 
may  have  to  be  considered  different  from  those  of  other  functions. 

Device_wake-up  - The  effects  of  this  function  are  very  much  like  the 
effects  that  may  occur  in  async_device_read  and  async_device_write  when 
asynchronous  exception  conditions  exist. 

Send  message,  receive  message  - Cannot  the  message  itself  be  an  argument 
to  the  function?  That  would  eliminate  most  of  the  exceptions  and  some 
of  the  effects.  True,  the  message  data  will  probably  not  move  from  its 
original  location  in  the  user's  segment,  but  most  of  the  exceptions 
listed  are  those  performed  by  argument  validation  anyway,  the  details 
of  which  are  never  specified. 

The  host-SFEP  communication  scheme  lacks  a method  for  communication 
between  system  processes  that  may  not  have  a device  as  a link.  Can  one 
at  this  time  rule  out  the  need  for  a more  general  process-to-process 
communication  link?  The  MITRE  specification  employs  a process-to-process 
communication,  with  more  generality  and  greater  specification  simplicity. 
When  one  considers  the  possibility  of  an  untrusted  single  level  network 
process  in  the  SFEP  that  may  have  to  communicate  with  more  than  one 
Multics  process,  the  generality  may  be  necessary. 


* 


The  exceptions  shown  are  checked  by  the  SPM  hardware. 


